core-jmp

GreatXML: Bypassing BitLocker on Windows 11 via a Recovery-Partition unattend.xml

June 11, 2026

by oxfemale BitLocker Bypassing Defender exploitation Recovery mode

GreatXML is a one-file BitLocker bypass against Windows 11 24H2. Drop an attacker-controlled unattend.xml and ReAgent.xml into the root of the recovery partition; the next Defender Offline reboot honours them at the WinPE Setup pass and spawns an Administrator conhost.exe on top of the splash. The C: volume is already TPM-unsealed at that point, so the shell can cd C: and read everything. No crypto attack, no kernel exploit — just physical access plus two XML files. We reproduce the README, both XML files and both proof screenshots, explain why it works, and give a hardening checklist (TPM+PIN, reagentc /disable, recovery-partition integrity).

Header image — CVE-2024-27398 Linux Bluetooth SCO UAF article

CVE-2024-27398: Exploiting a Linux Bluetooth SCO Use-After-Free with SMEP Bypass

May 25, 2026

by oxfemale Escalation Exploit Development exploitation kernel Linux PoC Privilege Reverse Engineering Vulnerability Analysis

A full walkthrough of CVE-2024-27398, a race-induced use-after-free in the Linux 6.8 Bluetooth SCO subsystem. The exploit races two connect() threads on the same SCO socket to orphan a delayed-work timer, reclaims the freed sock with add_key(), forges a valid DEBUG_SPINLOCK pattern in the spray payload, and uses an xchg eax, esp ; ret gadget to pivot the kernel stack into userspace — bypassing SMEP with pure ROP and overwriting modprobe_path to get root.

Plug me If you can : Exploiting USB Printer Drivers in Windows

April 27, 2026

by oxfemale Driver Escalation exploitation Hardware IOCTL kernel USB winapi windows

ENKI analyzes CVE-2026-32223, a heap overflow in Windows usbprint.sys triggered by malformed USB printer descriptors, leading to SYSTEM privilege escalation via crafted USB device.

Vulnerability: When Microsoft Defender Becomes the Primitive – RedSun PoC.

April 16, 2026

by oxfemale Defender exploitation PoC Privilege Privilege Escalation RedTeam winapi windows

This vulnerability shows how Windows Defender file handling can be abused through filesystem races, Cloud Files APIs, and reparse points to redirect privileged writes and escalate from a low-privileged user to SYSTEM.

BullFrog DNS Pipelining: Smuggling Data Past CI/CD Egress Filters

April 10, 2026

by oxfemale CI/CD DNS exploitation Security

A parsing flaw in BullFrog’s DNS-over-TCP handling allows attackers to bypass CI/CD egress filtering by pipelining DNS queries. The filter validates only the first query, letting malicious queries slip through.

BlueHammer: Exploiting Microsoft Defender Update Workflow to Leak SAM and Escalate to SYSTEM

April 7, 2026

by oxfemale Antivirus attaks Defender Escalation Exploit Development exploitation PoC Privilege Security Security winapi winapi windows

BlueHammer shows how Microsoft Defender’s update workflow can be abused to redirect privileged file access to a Volume Shadow Copy. By exploiting filesystem races and NT namespace tricks, the technique leaks the SAM hive, extracts NTLM hashes, and enables privilege escalation to SYSTEM.

PoisonX: Terminating Protected Windows Processes via BYOVD

April 7, 2026

by oxfemale BYOUD BYOVD Exploit Development exploitation PPL winapi winapi windows

PoisonX is a Bring Your Own Vulnerable Driver (BYOVD) research tool that leverages a signed Microsoft kernel driver to terminate any Windows process — including PP (Protected Processes) and PPL (Protected Process Light) processes such as EDR/AV services.

Signed to Kill: Reverse Engineering a 0-Day Used to Disable CrowdStrike EDR

April 6, 2026

by oxfemale BYOVD EDR Exploit Development exploitation IOCTL kernel kernel-mode PoC Reverse Engineering windows

The article analyzes a Microsoft-signed vulnerable driver used in a BYOVD attack to kill security processes. By sending crafted IOCTL requests with a target PID, attackers can terminate EDR services such as CrowdStrike Falcon.

Escaping the VM: From Guest Code to Host Compromise in VMware Workstation

April 6, 2026

by oxfemale Exploit Development exploitation Reverse Engineering VMware

The article explains how vulnerabilities in VMware Workstation can enable a guest-to-host escape, allowing malicious code running inside a VM to exploit virtual device bugs and execute code on the host system.

Breaking Process Protection: Exploiting CVE-2026-0828 in ProcessMonitorDriver.sys

April 2, 2026

by oxfemale BYOVD Driver exploitation IOCTL kernel kernel-mode windows

The KillChain exploit leverages a vulnerability in ProcessMonitorDriver.sys (CVE-2026-0828) by abusing an exposed IOCTL that allows a user-mode application to terminate arbitrary processes — including protected system services — effectively bypassing standard Windows security checks.