A practical look at DLL sideloading and proxying: how attackers abuse trusted Windows executables to load malicious DLLs while keeping the app running normally.
From API Key to Server Takeover: How LiteLLM 1.83.14 Chained Secret Leakage and Jinja2 SSTI into RCE
A LiteLLM 1.83.14 exploit chain leaks the master key through callback metadata, then abuses non-sandboxed Jinja2 GitLab prompts to achieve server-side RCE.
One Newline to Own Exim: How a Tiny TLS/BDAT Use-After-Free Became Unauthenticated RCE
A deep dive into CVE-2026-45185: an unauthenticated Exim RCE where one stale TLS/BDAT ungetc() byte corrupts freed memory and leads to exploitation.
No More Hardcoded Kernel Offsets: Turning Microsoft PDB Symbols into a Runtime BYOVD Superpower
A Windows kernel research technique that uses Microsoft PDB symbols to resolve offsets dynamically, avoiding hardcoded values and manual WinDBG work across builds.
Building a DIY EDR from Scratch: Windows Kernel Callbacks, User-Mode Hooks, and Shellcode Injection Detection
A hands-on guide to building a basic Windows EDR with a kernel driver, callbacks, static analysis, DLL injection, and hooks to detect remote shellcode injection.
Process Injection Without the Usual Red Flags: Abusing Windows Primitives to Outsmart Classic EDR Telemetry
A Windows injection technique that builds remote read/write/allocation primitives with limited process rights, reducing classic RPM/WPM telemetry and noisy access flags.
Dirty Frag: A New Linux Page-Cache Privilege Escalation Class
Dirty Frag is a Linux kernel local privilege escalation class abusing zero-copy networking, skb fragments, and in-place crypto to corrupt page cache memory and gain root privileges.
Shadow SSDT Hijacking: Achieving Kernel Code Execution via Read-Write Primitives
The article shows how Shadow SSDT hijacking can turn kernel read/write primitives into transient kernel code execution by redirecting a GUI syscall path through win32k and restoring it afterward.
Patchless AMSI Bypass via Page Guard Exceptions
The article shows a patchless AMSI bypass using Page Guard exceptions and VEH to intercept AmsiScanBuffer, force an early clean return, and avoid direct code patching.
Recursively fuzzing MS-RPC structures and monitoring using ETW
The article updates MS-RPC-Fuzzer with recursive structure fuzzing, union support, ETW-based syscall monitoring, canary tracking, crash replay, and a Spooler case where SYSTEM loads a DLL.