EXP-401(OSEE), also known as Advanced Windows Exploitation (AWE), is considered OffSec's hardest certification. As of now, only about 100–200 people worldwide hold this certification, and the pass rate is around 10%.
In-depth research into Windows Kernel Streaming vulnerabilities, revealing MDL misuse, buffer misalignment, and exploitation techniques used in CVE-2024-38238 and others.
Windows 11's KB5031455 update adds RAR and 7z support via libarchive, but DEVCORE discovered multiple vulnerabilities, including Heap Buffer Overflow and arbitrary file operations. Delayed patching also enables “Half-day” attacks, putting projects like ClickHouse at risk. A step forward in convenience—or a hidden security threat?
The research unveils a new attack surface in Windows by exploiting Best-Fit, an internal charset conversion feature. Through our work, we successfully transformed this feature into several practical attacks, including Path Traversal, Argument Injection, and even RCE, affecting numerous well-known applications!
This research continues to explore the attack surface of Kernel Streaming, delving into newly discovered vulnerabilities within another feature of Kernel Streaming and demonstrating how to leverage this bug class to successfully attack Windows 11. This topic was also presented at HEXACON 2024.
This research will discuss an overlooked attack surface that allowed us to find more than ten vulnerabilities within two months. Additionally, we will delve into a proxy-based logical vulnerability type that allows us to bypass most validations, enabling us to successfully exploit Windows 11 in Pwn2Own Vancouver 2024.
This article explores architectural issues within the Apache HTTP Server, highlighting several technical debts within Httpd, including 3 types of Confusion Attacks, 9 new vulnerabilities, 20 exploitation techniques, and over 30 case studies. The content includes, but is not limited to: 1. How a single ? can bypass Httpd's built-in access control and authentication. 2. How unsafe RewriteRules can escape the Web Root and access the entire filesystem. 3. How to leverage a piece of code from 1996 to transform an XSS into RCE.
We have also proved this attack works naturally on Microsoft Exchange Server. By leveraging the default activated Exchange Active Monitoring service, we can enter HealthMailbox's mailbox without passwords!
In order to leverage the vulnerabilities, we put part of efforts into review of Sandstorm's source codes, and tried to escape the sandbox to impact the whole server...
