d0ntrash
@d0ntrash.bsky.social
Security Researcher @neodyme.io | CTF, Fuzzing, Embedded Security
Pinned
d0ntrash
@d0ntrash.bsky.social
· Nov 22
From Guardian to Gateway: The Hidden Risks of EDR Vulnerabilities
Explore the hidden risks within security software as we dive into vulnerabilities of Wazuh, a popular EDR solution.
This post reveals how even trusted tools can become targets, highlighting the import...
neodyme.io
Just published a blog post about some critical vulnerabilities I discovered in Wazuh last year! The post covers details on how I found these vulnerabilities and highlights why security tools like EDRs can themselves become valuable targets for attackers.
#infosec
neodyme.io/en/blog/wazu...
#infosec
neodyme.io/en/blog/wazu...
Reposted by d0ntrash
Think your speech model is secure?
It might be quietly leaking what it was trained on.
In a new blog post, we explain membership inference attacks and why they matter for cyber security experts.
🔗 neodyme.io/en/blog/memb...
It might be quietly leaking what it was trained on.
In a new blog post, we explain membership inference attacks and why they matter for cyber security experts.
🔗 neodyme.io/en/blog/memb...
Did You Train on My Voice? Exploring Privacy Risks in ASR
This post explores a recent research paper on membership inference attacks targeting Automatic Speech Recognition (ASR) models. It breaks down how subtle signals like input perturbation and model loss...
neodyme.io
July 2, 2025 at 2:03 PM
Think your speech model is secure?
It might be quietly leaking what it was trained on.
In a new blog post, we explain membership inference attacks and why they matter for cyber security experts.
🔗 neodyme.io/en/blog/memb...
It might be quietly leaking what it was trained on.
In a new blog post, we explain membership inference attacks and why they matter for cyber security experts.
🔗 neodyme.io/en/blog/memb...
Reposted by d0ntrash
At #Pwn2Own Ireland 2024, we successfully targeted the SOHO Smashup category. 🖨️
Starting with a QNAP QHora-322 NAS, we pivoted to the Canon imageCLASS MF656Cdw - and ended up with shellcode execution.
Read the full vulnerability deep dive here 👉 neodyme.io/en/blog/pwn2...
Starting with a QNAP QHora-322 NAS, we pivoted to the Canon imageCLASS MF656Cdw - and ended up with shellcode execution.
Read the full vulnerability deep dive here 👉 neodyme.io/en/blog/pwn2...
Pwn2Own Ireland 2024: Canon imageCLASS MF656Cdw
This blogpost starts a series about various exploits at Pwn2Own 2024 Ireland (Cork). This and the upcoming posts will detail our research methodology and journey in exploiting different devices. We st...
neodyme.io
May 22, 2025 at 11:06 AM
At #Pwn2Own Ireland 2024, we successfully targeted the SOHO Smashup category. 🖨️
Starting with a QNAP QHora-322 NAS, we pivoted to the Canon imageCLASS MF656Cdw - and ended up with shellcode execution.
Read the full vulnerability deep dive here 👉 neodyme.io/en/blog/pwn2...
Starting with a QNAP QHora-322 NAS, we pivoted to the Canon imageCLASS MF656Cdw - and ended up with shellcode execution.
Read the full vulnerability deep dive here 👉 neodyme.io/en/blog/pwn2...
Reposted by d0ntrash
From iframes and file reads to full RCE. 🔥
We found an HTML-to-PDF API allowing file reads and SSRF - then chained it into remote code execution via a Chromium 62 WebView exploit.
👉 Read the full write-up here: neodyme.io/en/blog/html...
We found an HTML-to-PDF API allowing file reads and SSRF - then chained it into remote code execution via a Chromium 62 WebView exploit.
👉 Read the full write-up here: neodyme.io/en/blog/html...
HTML to PDF Renderer: A tale of local file access and shellcode execution
In a recent engagement, we found an HTML to PDF converter API endpoint that allowed us to list local directories and files on a remote server. One of the PDF files we created, revealed that the conver...
neodyme.io
May 2, 2025 at 11:03 AM
From iframes and file reads to full RCE. 🔥
We found an HTML-to-PDF API allowing file reads and SSRF - then chained it into remote code execution via a Chromium 62 WebView exploit.
👉 Read the full write-up here: neodyme.io/en/blog/html...
We found an HTML-to-PDF API allowing file reads and SSRF - then chained it into remote code execution via a Chromium 62 WebView exploit.
👉 Read the full write-up here: neodyme.io/en/blog/html...
Reposted by d0ntrash
Interested in learning about Windows exploitation?
This August, join us in Las Vegas for an intensive, hands-on 4-day DEFCON training:
Binary Exploitation on Windows, led by Felipe and Kolja!
🗓️ When: August 9–12, 2025
📍 Where: Las Vegas Convention Center
This August, join us in Las Vegas for an intensive, hands-on 4-day DEFCON training:
Binary Exploitation on Windows, led by Felipe and Kolja!
🗓️ When: August 9–12, 2025
📍 Where: Las Vegas Convention Center
April 29, 2025 at 7:52 AM
Interested in learning about Windows exploitation?
This August, join us in Las Vegas for an intensive, hands-on 4-day DEFCON training:
Binary Exploitation on Windows, led by Felipe and Kolja!
🗓️ When: August 9–12, 2025
📍 Where: Las Vegas Convention Center
This August, join us in Las Vegas for an intensive, hands-on 4-day DEFCON training:
Binary Exploitation on Windows, led by Felipe and Kolja!
🗓️ When: August 9–12, 2025
📍 Where: Las Vegas Convention Center
Reposted by d0ntrash
Wrapping up our COM hijacking series! 🎉
In the final part, we discuss a custom IPC protocol, use a registry write to gain SYSTEM privileges, and explore Denial of Service attacks on security products. 💥💻
Don't miss it! neodyme.io/en/blog/com_...
In the final part, we discuss a custom IPC protocol, use a registry write to gain SYSTEM privileges, and explore Denial of Service attacks on security products. 💥💻
Don't miss it! neodyme.io/en/blog/com_...
The Key to COMpromise - Writing to the Registry (again), Part 4
In this series of blog posts, we cover how we could exploit five reputable security products to gain SYSTEM privileges with COM hijacking. If you've never heard of this, no worries. We introduce all r...
neodyme.io
February 26, 2025 at 3:38 PM
Wrapping up our COM hijacking series! 🎉
In the final part, we discuss a custom IPC protocol, use a registry write to gain SYSTEM privileges, and explore Denial of Service attacks on security products. 💥💻
Don't miss it! neodyme.io/en/blog/com_...
In the final part, we discuss a custom IPC protocol, use a registry write to gain SYSTEM privileges, and explore Denial of Service attacks on security products. 💥💻
Don't miss it! neodyme.io/en/blog/com_...
Reposted by d0ntrash
🪝Introducing HyperHook! 🪝
A harnessing framework for snapshot-based #fuzzing using Nyx. ⚒️
HyperHook simplifies guest-to-host communication & automates repetitive tasks, making snapshot-fuzzing easier & more efficient!
🔗 Read more: neodyme.io/en/blog/hype...
A harnessing framework for snapshot-based #fuzzing using Nyx. ⚒️
HyperHook simplifies guest-to-host communication & automates repetitive tasks, making snapshot-fuzzing easier & more efficient!
🔗 Read more: neodyme.io/en/blog/hype...
Introducing HyperHook: A harnessing framework for Nyx
In this post, we introduce HyperHook, a harnessing framework for snapshot-based fuzzing for user-space applications using Nyx. HyperHook simplifies guest-to-host communication and automates repetitive...
neodyme.io
February 5, 2025 at 3:18 PM
🪝Introducing HyperHook! 🪝
A harnessing framework for snapshot-based #fuzzing using Nyx. ⚒️
HyperHook simplifies guest-to-host communication & automates repetitive tasks, making snapshot-fuzzing easier & more efficient!
🔗 Read more: neodyme.io/en/blog/hype...
A harnessing framework for snapshot-based #fuzzing using Nyx. ⚒️
HyperHook simplifies guest-to-host communication & automates repetitive tasks, making snapshot-fuzzing easier & more efficient!
🔗 Read more: neodyme.io/en/blog/hype...
Reposted by d0ntrash
🔎Part 2 of our COM hijacking series is live!
This time, we discuss a vulnerability in AVG Internet Security, where we bypass an allow-list, disable self-protection, and exploit an update mechanism to escalate privileges to SYSTEM 🚀💻
neodyme.io/en/blog/com_...
This time, we discuss a vulnerability in AVG Internet Security, where we bypass an allow-list, disable self-protection, and exploit an update mechanism to escalate privileges to SYSTEM 🚀💻
neodyme.io/en/blog/com_...
The Key to COMpromise - Abusing a TOCTOU race to gain SYSTEM, Part 2
In this series of blog posts, we cover how we could exploit five reputable security products to gain SYSTEM privileges with COM hijacking. If you've never heard of this, no worries. We introduce all r...
neodyme.io
January 29, 2025 at 3:17 PM
🔎Part 2 of our COM hijacking series is live!
This time, we discuss a vulnerability in AVG Internet Security, where we bypass an allow-list, disable self-protection, and exploit an update mechanism to escalate privileges to SYSTEM 🚀💻
neodyme.io/en/blog/com_...
This time, we discuss a vulnerability in AVG Internet Security, where we bypass an allow-list, disable self-protection, and exploit an update mechanism to escalate privileges to SYSTEM 🚀💻
neodyme.io/en/blog/com_...
Reposted by d0ntrash
From startups to large companies, we've seen this setup used by many corporate clients in the wild. Here's why this is so difficult to fix and Microsoft has not changed the exploitable default settings yet: neodyme.io/blog/bitlock...
On Secure Boot, TPMs, SBAT, and downgrades -- Why Microsoft hasn't fixed BitLocker yet
On Secure Boot, TPMs, SBAT and Downgrades -- Why Microsoft hasn't fixed BitLocker yet
neodyme.io
January 17, 2025 at 2:20 PM
From startups to large companies, we've seen this setup used by many corporate clients in the wild. Here's why this is so difficult to fix and Microsoft has not changed the exploitable default settings yet: neodyme.io/blog/bitlock...
If you are using BitLocker and hardware attacks were not enough to convince you to enable preboot authentication, check out my colleague's posts on a software-only attack to dump the encryption key from RAM.
Your laptop was stolen. It’s running Windows 11, fully up-to-date, device encryption (BitLocker) and Secure Boot enabled. Your data is safe, right? Think again! This software-only attack grabs your encryption key. Following up on our #38C3 talk: neodyme.io/blog/bitlock...
Windows BitLocker -- Screwed without a Screwdriver
Breaking up-to-date Windows 11 BitLocker encryption -- on-device but software-only
neodyme.io
January 17, 2025 at 2:32 PM
If you are using BitLocker and hardware attacks were not enough to convince you to enable preboot authentication, check out my colleague's posts on a software-only attack to dump the encryption key from RAM.
Reposted by d0ntrash
Following our #38c3 talk about exploiting security software for privilege escalation, we're excited to kick off a new blog series! 🎊
Check out our first blog post on our journey to 💥 exploit five reputable security products to gain privileges via COM hijacking: neodyme.io/blog/com_hij...
Check out our first blog post on our journey to 💥 exploit five reputable security products to gain privileges via COM hijacking: neodyme.io/blog/com_hij...
The Key to COMpromise - Pwning AVs and EDRs by Hijacking COM Interfaces, Part 1
In this series of blog posts, we cover how we could exploit five reputable security products to gain SYSTEM privileges with COM hijacking. If you've never heard of this, no worries. We introduce all r...
neodyme.io
January 15, 2025 at 3:11 PM
Following our #38c3 talk about exploiting security software for privilege escalation, we're excited to kick off a new blog series! 🎊
Check out our first blog post on our journey to 💥 exploit five reputable security products to gain privileges via COM hijacking: neodyme.io/blog/com_hij...
Check out our first blog post on our journey to 💥 exploit five reputable security products to gain privileges via COM hijacking: neodyme.io/blog/com_hij...
Reposted by d0ntrash
Kids these days don't even know how much opportunity they have to learn hacking from actual pros.
I know there is a lot of content out there, so it can be hard to find the good stuff. But 10 years ago you had to be lucky to find at least something.
Anyway, watch this 👇
I know there is a lot of content out there, so it can be hard to find the good stuff. But 10 years ago you had to be lucky to find at least something.
Anyway, watch this 👇
My videos for Flare-On 2024 are live! Watch me reverse engineer all the challenges from start to end. 🎉🥳
+ Commentary video featuring SuperFashi, where we review the chals together.
* 45 hours of content
* 400+ GB of raw footage
Merry Christmas! Link: www.youtube.com/watch?v=vwW9...
+ Commentary video featuring SuperFashi, where we review the chals together.
* 45 hours of content
* 400+ GB of raw footage
Merry Christmas! Link: www.youtube.com/watch?v=vwW9...
Flare-On 2024 Solutions and Commentary
YouTube video by BasteG0d69
www.youtube.com
December 31, 2024 at 10:10 AM
Kids these days don't even know how much opportunity they have to learn hacking from actual pros.
I know there is a lot of content out there, so it can be hard to find the good stuff. But 10 years ago you had to be lucky to find at least something.
Anyway, watch this 👇
I know there is a lot of content out there, so it can be hard to find the good stuff. But 10 years ago you had to be lucky to find at least something.
Anyway, watch this 👇
Reposted by d0ntrash
Slides for our talk "The Key to COMpromise" (AV/EDR privilege escalation) are on GitHub.
If you want to discuss this stuff, you can find @k0lj4.bsky.social or me at the CTF area of #38c3
github.com/0x4d5a-ctf/3...
If you want to discuss this stuff, you can find @k0lj4.bsky.social or me at the CTF area of #38c3
github.com/0x4d5a-ctf/3...
GitHub - 0x4d5a-ctf/38c3_com_talk: Slides for COM Hijacking AV/EDR Talk on 38c3
Slides for COM Hijacking AV/EDR Talk on 38c3. Contribute to 0x4d5a-ctf/38c3_com_talk development by creating an account on GitHub.
github.com
December 28, 2024 at 5:32 PM
Slides for our talk "The Key to COMpromise" (AV/EDR privilege escalation) are on GitHub.
If you want to discuss this stuff, you can find @k0lj4.bsky.social or me at the CTF area of #38c3
github.com/0x4d5a-ctf/3...
If you want to discuss this stuff, you can find @k0lj4.bsky.social or me at the CTF area of #38c3
github.com/0x4d5a-ctf/3...
Reposted by d0ntrash
To little surprise it seems that multiple #antivirus vendors have been ignoring COM hijacking as a self-defense bypass and LPE vector since at least 2018, when I first published about this technique (see my prev post).
At #38c3 guys from Neodyme demonstrated some more elegant
1/2
At #38c3 guys from Neodyme demonstrated some more elegant
1/2
December 28, 2024 at 3:58 PM
To little surprise it seems that multiple #antivirus vendors have been ignoring COM hijacking as a self-defense bypass and LPE vector since at least 2018, when I first published about this technique (see my prev post).
At #38c3 guys from Neodyme demonstrated some more elegant
1/2
At #38c3 guys from Neodyme demonstrated some more elegant
1/2
Reposted by d0ntrash
ND people are @ #38C3 in Hamburg, Germany. Be sure to check out our two talks about LPEs in AV/EDR Products (Saturday, 4 PM YELL) and a not yet mitigated Bitlocker Flaw! (Saturday, 7:15 PM HUFF)
December 27, 2024 at 5:51 PM
ND people are @ #38C3 in Hamburg, Germany. Be sure to check out our two talks about LPEs in AV/EDR Products (Saturday, 4 PM YELL) and a not yet mitigated Bitlocker Flaw! (Saturday, 7:15 PM HUFF)
Reposted by d0ntrash
Watch the recording of my #ekoparty talk "Advanced #Fuzzing with #LibAFL" here:
youtu.be/FI7C37lz4Rg?...
Thanks @fede-k.bsky.social for this amazing event!
youtu.be/FI7C37lz4Rg?...
Thanks @fede-k.bsky.social for this amazing event!
December 10, 2024 at 6:01 AM
Watch the recording of my #ekoparty talk "Advanced #Fuzzing with #LibAFL" here:
youtu.be/FI7C37lz4Rg?...
Thanks @fede-k.bsky.social for this amazing event!
youtu.be/FI7C37lz4Rg?...
Thanks @fede-k.bsky.social for this amazing event!
Reposted by d0ntrash
Reversing C++ structures can be tricky. Binary Ninja makes it easier. I wrote up a walkthrough to clean up those pesky vtables. @binary.ninja
www.seandeaton.com/gotta-re-em-...
#binaryninja #reverseengineering #ghidra #ida
www.seandeaton.com/gotta-re-em-...
#binaryninja #reverseengineering #ghidra #ida
Gotta RE 'em All: Reversing C++ Virtual Function Tables with Binary Ninja
C++ can be frustrating to reverse engineer. Explore how to reverse engineer those with Binary Ninja.
www.seandeaton.com
November 27, 2024 at 1:48 PM
Reversing C++ structures can be tricky. Binary Ninja makes it easier. I wrote up a walkthrough to clean up those pesky vtables. @binary.ninja
www.seandeaton.com/gotta-re-em-...
#binaryninja #reverseengineering #ghidra #ida
www.seandeaton.com/gotta-re-em-...
#binaryninja #reverseengineering #ghidra #ida
Honored to see my own work on the list! 😊
Sitecore Exploit (@assetnote + @plopz0r), CI/CD CTF (@MagisterQuis), new Mythic agent (@silentwarble.bsky.social), cmake based win32 shellcode template (@ilove2pwn_), and more!
blog.badsectorlabs.com/last-week-in...
blog.badsectorlabs.com/last-week-in...
Last Week in Security (LWiS) - 2024-11-25
Sitecore Exploit (@assetnote + @plopz0r), CI/CD CTF (@MagisterQuis), new Mythic agent (@silentwarble), cmake based win32 shellcode template (@ilove2pwn_), and more!
blog.badsectorlabs.com
November 29, 2024 at 6:59 PM
Honored to see my own work on the list! 😊
Reposted by d0ntrash
💥When security software itself becomes a target! 💥
Learn how we've uncovered critical vulnerabilities in Wazuh, turning a powerful security tool into an unexpected attack vector.
👉 Read more about the findings:
neodyme.io/en/blog/wazu...
Learn how we've uncovered critical vulnerabilities in Wazuh, turning a powerful security tool into an unexpected attack vector.
👉 Read more about the findings:
neodyme.io/en/blog/wazu...
From Guardian to Gateway: The Hidden Risks of EDR Vulnerabilities
Explore the hidden risks within security software as we dive into vulnerabilities of Wazuh, a popular EDR solution.
This post reveals how even trusted tools can become targets, highlighting the import...
neodyme.io
November 29, 2024 at 11:11 AM
💥When security software itself becomes a target! 💥
Learn how we've uncovered critical vulnerabilities in Wazuh, turning a powerful security tool into an unexpected attack vector.
👉 Read more about the findings:
neodyme.io/en/blog/wazu...
Learn how we've uncovered critical vulnerabilities in Wazuh, turning a powerful security tool into an unexpected attack vector.
👉 Read more about the findings:
neodyme.io/en/blog/wazu...
Reposted by d0ntrash
I'm glad to release the tool I have been working hard on the last month: #KrbRelayEx
A Kerberos relay & forwarder for MiTM attacks!
>Relays Kerberos AP-REQ tickets
>Manages multiple SMB consoles
>Works on Win& Linux with .NET 8.0
>...
GitHub: github.com/decoder-it/K...
A Kerberos relay & forwarder for MiTM attacks!
>Relays Kerberos AP-REQ tickets
>Manages multiple SMB consoles
>Works on Win& Linux with .NET 8.0
>...
GitHub: github.com/decoder-it/K...
November 25, 2024 at 5:31 PM
I'm glad to release the tool I have been working hard on the last month: #KrbRelayEx
A Kerberos relay & forwarder for MiTM attacks!
>Relays Kerberos AP-REQ tickets
>Manages multiple SMB consoles
>Works on Win& Linux with .NET 8.0
>...
GitHub: github.com/decoder-it/K...
A Kerberos relay & forwarder for MiTM attacks!
>Relays Kerberos AP-REQ tickets
>Manages multiple SMB consoles
>Works on Win& Linux with .NET 8.0
>...
GitHub: github.com/decoder-it/K...
Reposted by d0ntrash
Confirmed! Team Neodyme (@Neodyme) used a stack-based buffer overflow to exploit the HP Color LaserJet Pro MFP 3301fdw printer. The earn $20,000 and 2 Master of Pwn points. #Pwn2Own #P2OIreland
October 22, 2024 at 10:58 AM
Confirmed! Team Neodyme (@Neodyme) used a stack-based buffer overflow to exploit the HP Color LaserJet Pro MFP 3301fdw printer. The earn $20,000 and 2 Master of Pwn points. #Pwn2Own #P2OIreland
Reposted by d0ntrash
Don't really know the purpose of starter packs yet, but here's some people who fuzz(ed). Let me know who I forgot
go.bsky.app/EhGFSVj
go.bsky.app/EhGFSVj
November 21, 2024 at 7:53 PM
Don't really know the purpose of starter packs yet, but here's some people who fuzz(ed). Let me know who I forgot
go.bsky.app/EhGFSVj
go.bsky.app/EhGFSVj
Reposted by d0ntrash
Just published a blog post about some critical vulnerabilities I discovered in Wazuh last year! The post covers details on how I found these vulnerabilities and highlights why security tools like EDRs can themselves become valuable targets for attackers.
#infosec
neodyme.io/en/blog/wazu...
#infosec
neodyme.io/en/blog/wazu...
From Guardian to Gateway: The Hidden Risks of EDR Vulnerabilities
Explore the hidden risks within security software as we dive into vulnerabilities of Wazuh, a popular EDR solution.
This post reveals how even trusted tools can become targets, highlighting the import...
neodyme.io
November 22, 2024 at 4:52 PM
Just published a blog post about some critical vulnerabilities I discovered in Wazuh last year! The post covers details on how I found these vulnerabilities and highlights why security tools like EDRs can themselves become valuable targets for attackers.
#infosec
neodyme.io/en/blog/wazu...
#infosec
neodyme.io/en/blog/wazu...