CVE-2024-1065 is a physical-page use-after-free in the ARM Mali GPU kernel driver. Because the freed page lands in MIGRATE_MOVABLE, Dirty Pagetable and Dirty Cred do not apply — so this writeup uses a page-cache spray to swap the freed page into the in-memory copy of /usr/bin/passwd and gets root via execve() without touching disk.
Weaponizing Writable SMB Shares to Steal Domain Credentials
A walkthrough of a classic-but-still-effective Active Directory attack: how write access to an SMB share — plus a single .lnk file — lets an attacker capture Net-NTLMv2 hashes from every user who simply browses the folder, with no clicks, no payload execution, and almost no EDR signal.
Centurion: A Virtualized Loader and the “Bring Your Own Execution Environment” Model
Praetorian’s Centurion is a virtualized loader built around a custom x86-64-inspired ISA and freestanding C runtime, where the PE loader, TLS stack and HTTP client all live behind the interpretation layer. The result — a TLS bind shell running inside a custom VM, shipped in roughly a week of LLM-assisted development.
Overcoming Space Restrictions with Egghunters in Windows Exploit Development — Savant Web Server 3.1, Syscall & SEH Egghunters, Heap Staging
When a Windows stack overflow gives you ~250 bytes of crash-buffer space but a useful Meterpreter payload is 400+ bytes, the answer is an egghunter. This walkthrough takes Savant Web Server 3.1 from initial crash to NT-level shell: partial overwrite to defeat the savant.exe null-byte module base, POP EAX RET gadget, a 7-byte conditional jump that exploits pre-zeroed memory, two independent buffers (URL path + HTTP body), then both classic egghunters — syscall-based on Windows 10 (with the NEG trick to encode 0x1C8 null-free) and the OS-agnostic SEH-based variant with a custom dispatcher handler.
Windows Win32k Elevation of Privilege Vulnerability (CVE-2021-1732): Walkthrough of the ConsoleControl Offset Confusion
CVE-2021-1732 is a Win32k local privilege escalation in win32kfull.sys. By flipping the 0x800 bit on tagWND with NtUserConsoleControl and returning a fake value from a user-mode callback inside xxxClientAllocWindowClassExtraBytes, an attacker turns the cbWndExtra length into a controllable kernel write offset and walks the token to NT AUTHORITY SYSTEM. End-to-end Metasploit PoC against Windows 10 20H2.
GreatXML: Bypassing BitLocker on Windows 11 via a Recovery-Partition unattend.xml
GreatXML is a one-file BitLocker bypass against Windows 11 24H2. Drop an attacker-controlled unattend.xml and ReAgent.xml into the root of the recovery partition; the next Defender Offline reboot honours them at the WinPE Setup pass and spawns an Administrator conhost.exe on top of the splash. The C: volume is already TPM-unsealed at that point, so the shell can cd C: and read everything. No crypto attack, no kernel exploit — just physical access plus two XML files. We reproduce the README, both XML files and both proof screenshots, explain why it works, and give a hardening checklist (TPM+PIN, reagentc /disable, recovery-partition integrity).
Covert Kernel/User Communication Channels on Windows: Rootkits, Game Cheats, and Detection
A defender-side surface map of Windows kernel/user-mode covert channels — mailslots and ALPC, firmware-table providers and WNF, dispatch tables and writable .data pointers, KernelCallbackTable, MDL-backed mailboxes, GPU/DXGK primitives, page-guard signals, EPT/MMIO, DMA cards, and visual capture. Covers the six-plane channel grammar, PatchGuard exposure classes, and a production detection program with baselines, cross-view validation, and false-positive control.
Patching the Windows Kernel via BYOVD: ThrottleStop.sys, MmMapIoSpace and the NtAddAtom Trampoline
zer0matt’s Milan0day 2026 talk walks through a clean BYOVD chain: ThrottleStop.sys (CVE-2025-7771) gives arbitrary physical-memory R/W via MmMapIoSpace, used to inline-patch NtAddAtom into a temporary trampoline. Phase 1 redirects to PsLookupProcessByProcessId to lift the target’s EPROCESS pointer; phase 2 redirects to PsTerminateProcess to kill the AV/EDR from kernel mode. Original bytes are restored after each shot to dodge PatchGuard. PoC: github.com/zer0matt/Milan0day2026
Client-Side Container Attack: DLL Sideloading wab.exe via Email Archive Delivery
Walkthrough of an initial-access chain that ships a signed Microsoft binary (wab.exe / Windows Address Book) and a hidden CRYPTDLG.dll proxy in the same archive, delivered via Google Drive to dodge Gmail’s blanket 7-zip block. perfect-dll-proxy / SharpDllProxy generate the forwarder, cl.exe compiles the x64 DLL, DllMain pops a MessageBox to confirm execution — and when MotW doesn’t propagate through the extract step the operator gets clean code execution under a trusted Microsoft signer.
Microsoft Defender Now Monitors Remote RPC Activity: What It Catches and How to Hunt
Microsoft Defender now audits inbound remote RPC calls at OpNum-level granularity through a Windows Filtering Platform integration, surfacing telemetry in Advanced Hunting and feeding detections like Impacket-style hands-on-keyboard, suspicious remote service creation, LSA secrets theft, RPC user / session discovery, and authentication coercion — with sample KQL queries for Remote Registry abuse, remote service creation, and NetrSessionEnum-based session discovery.