d0ntrash's Avatar

d0ntrash

@d0ntrash.bsky.social

Security Researcher @neodyme.io | CTF, Fuzzing, Embedded Security

140 Followers  |  721 Following  |  4 Posts  |  Joined: 22.11.2024  |  1.9851

Latest posts by d0ntrash.bsky.social on Bluesky

Preview
Did You Train on My Voice? Exploring Privacy Risks in ASR This post explores a recent research paper on membership inference attacks targeting Automatic Speech Recognition (ASR) models. It breaks down how subtle signals like input perturbation and model loss...

Think your speech model is secure?
It might be quietly leaking what it was trained on.

In a new blog post, we explain membership inference attacks and why they matter for cyber security experts.
πŸ”— neodyme.io/en/blog/memb...

02.07.2025 14:03 β€” πŸ‘ 3    πŸ” 2    πŸ’¬ 0    πŸ“Œ 0
Preview
Pwn2Own Ireland 2024: Canon imageCLASS MF656Cdw This blogpost starts a series about various exploits at Pwn2Own 2024 Ireland (Cork). This and the upcoming posts will detail our research methodology and journey in exploiting different devices. We st...

At #Pwn2Own Ireland 2024, we successfully targeted the SOHO Smashup category. πŸ–¨οΈ
Starting with a QNAP QHora-322 NAS, we pivoted to the Canon imageCLASS MF656Cdw - and ended up with shellcode execution.
Read the full vulnerability deep dive here πŸ‘‰ neodyme.io/en/blog/pwn2...

22.05.2025 11:06 β€” πŸ‘ 3    πŸ” 2    πŸ’¬ 0    πŸ“Œ 0
Preview
HTML to PDF Renderer: A tale of local file access and shellcode execution In a recent engagement, we found an HTML to PDF converter API endpoint that allowed us to list local directories and files on a remote server. One of the PDF files we created, revealed that the conver...

From iframes and file reads to full RCE. πŸ”₯

We found an HTML-to-PDF API allowing file reads and SSRF - then chained it into remote code execution via a Chromium 62 WebView exploit.

πŸ‘‰ Read the full write-up here: neodyme.io/en/blog/html...

02.05.2025 11:03 β€” πŸ‘ 3    πŸ” 3    πŸ’¬ 0    πŸ“Œ 0
Post image

Interested in learning about Windows exploitation?

This August, join us in Las Vegas for an intensive, hands-on 4-day DEFCON training:
Binary Exploitation on Windows, led by Felipe and Kolja!

πŸ—“οΈ When: August 9–12, 2025
πŸ“ Where: Las Vegas Convention Center

29.04.2025 07:52 β€” πŸ‘ 1    πŸ” 1    πŸ’¬ 1    πŸ“Œ 0
Preview
The Key to COMpromise - Writing to the Registry (again), Part 4 In this series of blog posts, we cover how we could exploit five reputable security products to gain SYSTEM privileges with COM hijacking. If you've never heard of this, no worries. We introduce all r...

Wrapping up our COM hijacking series! πŸŽ‰

In the final part, we discuss a custom IPC protocol, use a registry write to gain SYSTEM privileges, and explore Denial of Service attacks on security products. πŸ’₯πŸ’»

Don't miss it! neodyme.io/en/blog/com_...

26.02.2025 15:38 β€” πŸ‘ 2    πŸ” 2    πŸ’¬ 0    πŸ“Œ 0
Preview
Introducing HyperHook: A harnessing framework for Nyx In this post, we introduce HyperHook, a harnessing framework for snapshot-based fuzzing for user-space applications using Nyx. HyperHook simplifies guest-to-host communication and automates repetitive...

πŸͺIntroducing HyperHook! πŸͺ
A harnessing framework for snapshot-based #fuzzing using Nyx. βš’οΈ
HyperHook simplifies guest-to-host communication & automates repetitive tasks, making snapshot-fuzzing easier & more efficient!
πŸ”— Read more: neodyme.io/en/blog/hype...

05.02.2025 15:18 β€” πŸ‘ 3    πŸ” 3    πŸ’¬ 0    πŸ“Œ 0
Preview
The Key to COMpromise - Abusing a TOCTOU race to gain SYSTEM, Part 2 In this series of blog posts, we cover how we could exploit five reputable security products to gain SYSTEM privileges with COM hijacking. If you've never heard of this, no worries. We introduce all r...

πŸ”ŽPart 2 of our COM hijacking series is live!
This time, we discuss a vulnerability in AVG Internet Security, where we bypass an allow-list, disable self-protection, and exploit an update mechanism to escalate privileges to SYSTEM πŸš€πŸ’»
neodyme.io/en/blog/com_...

29.01.2025 15:17 β€” πŸ‘ 5    πŸ” 2    πŸ’¬ 0    πŸ“Œ 0
Preview
On Secure Boot, TPMs, SBAT, and downgrades -- Why Microsoft hasn't fixed BitLocker yet On Secure Boot, TPMs, SBAT and Downgrades -- Why Microsoft hasn't fixed BitLocker yet

From startups to large companies, we've seen this setup used by many corporate clients in the wild. Here's why this is so difficult to fix and Microsoft has not changed the exploitable default settings yet: neodyme.io/blog/bitlock...

17.01.2025 14:20 β€” πŸ‘ 3    πŸ” 2    πŸ’¬ 0    πŸ“Œ 0

If you are using BitLocker and hardware attacks were not enough to convince you to enable preboot authentication, check out my colleague's posts on a software-only attack to dump the encryption key from RAM.

17.01.2025 14:32 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Preview
The Key to COMpromise - Pwning AVs and EDRs by Hijacking COM Interfaces, Part 1 In this series of blog posts, we cover how we could exploit five reputable security products to gain SYSTEM privileges with COM hijacking. If you've never heard of this, no worries. We introduce all r...

Following our #38c3 talk about exploiting security software for privilege escalation, we're excited to kick off a new blog series! 🎊
Check out our first blog post on our journey to πŸ’₯ exploit five reputable security products to gain privileges via COM hijacking: neodyme.io/blog/com_hij...

15.01.2025 15:11 β€” πŸ‘ 5    πŸ” 5    πŸ’¬ 0    πŸ“Œ 0

Kids these days don't even know how much opportunity they have to learn hacking from actual pros.

I know there is a lot of content out there, so it can be hard to find the good stuff. But 10 years ago you had to be lucky to find at least something.

Anyway, watch this πŸ‘‡

31.12.2024 10:10 β€” πŸ‘ 61    πŸ” 9    πŸ’¬ 2    πŸ“Œ 0
Preview
GitHub - 0x4d5a-ctf/38c3_com_talk: Slides for COM Hijacking AV/EDR Talk on 38c3 Slides for COM Hijacking AV/EDR Talk on 38c3. Contribute to 0x4d5a-ctf/38c3_com_talk development by creating an account on GitHub.

Slides for our talk "The Key to COMpromise" (AV/EDR privilege escalation) are on GitHub.

If you want to discuss this stuff, you can find @k0lj4.bsky.social or me at the CTF area of #38c3

github.com/0x4d5a-ctf/3...

28.12.2024 17:32 β€” πŸ‘ 6    πŸ” 4    πŸ’¬ 0    πŸ“Œ 0

To little surprise it seems that multiple #antivirus vendors have been ignoring COM hijacking as a self-defense bypass and LPE vector since at least 2018, when I first published about this technique (see my prev post).

At #38c3 guys from Neodyme demonstrated some more elegant
1/2

28.12.2024 15:58 β€” πŸ‘ 13    πŸ” 4    πŸ’¬ 1    πŸ“Œ 0
Post image

ND people are @ #38C3 in Hamburg, Germany. Be sure to check out our two talks about LPEs in AV/EDR Products (Saturday, 4 PM YELL) and a not yet mitigated Bitlocker Flaw! (Saturday, 7:15 PM HUFF)

27.12.2024 17:51 β€” πŸ‘ 2    πŸ” 3    πŸ’¬ 1    πŸ“Œ 1

Watch the recording of my #ekoparty talk "Advanced #Fuzzing with #LibAFL" here:

youtu.be/FI7C37lz4Rg?...

Thanks @fede-k.bsky.social for this amazing event!

10.12.2024 06:01 β€” πŸ‘ 41    πŸ” 12    πŸ’¬ 0    πŸ“Œ 1

Thanks for sharing! πŸ™
Let me know if you have questions/feedback πŸ™‚

30.11.2024 12:22 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Preview
Gotta RE 'em All: Reversing C++ Virtual Function Tables with Binary Ninja C++ can be frustrating to reverse engineer. Explore how to reverse engineer those with Binary Ninja.

Reversing C++ structures can be tricky. Binary Ninja makes it easier. I wrote up a walkthrough to clean up those pesky vtables. @binary.ninja

www.seandeaton.com/gotta-re-em-...

#binaryninja #reverseengineering #ghidra #ida

27.11.2024 13:48 β€” πŸ‘ 16    πŸ” 13    πŸ’¬ 1    πŸ“Œ 2

Honored to see my own work on the list! 😊

29.11.2024 18:59 β€” πŸ‘ 3    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0
Preview
From Guardian to Gateway: The Hidden Risks of EDR Vulnerabilities Explore the hidden risks within security software as we dive into vulnerabilities of Wazuh, a popular EDR solution. This post reveals how even trusted tools can become targets, highlighting the import...

πŸ’₯When security software itself becomes a target! πŸ’₯
Learn how we've uncovered critical vulnerabilities in Wazuh, turning a powerful security tool into an unexpected attack vector.
πŸ‘‰ Read more about the findings:
neodyme.io/en/blog/wazu...

29.11.2024 11:11 β€” πŸ‘ 2    πŸ” 2    πŸ’¬ 0    πŸ“Œ 0
Post image

I'm glad to release the tool I have been working hard on the last month: #KrbRelayEx
A Kerberos relay & forwarder for MiTM attacks!
>Relays Kerberos AP-REQ tickets
>Manages multiple SMB consoles
>Works on Win& Linux with .NET 8.0
>...
GitHub: github.com/decoder-it/K...

25.11.2024 17:31 β€” πŸ‘ 64    πŸ” 43    πŸ’¬ 3    πŸ“Œ 0
Video thumbnail

Confirmed! Team Neodyme (@Neodyme) used a stack-based buffer overflow to exploit the HP Color LaserJet Pro MFP 3301fdw printer. The earn $20,000 and 2 Master of Pwn points. #Pwn2Own #P2OIreland

22.10.2024 10:58 β€” πŸ‘ 6    πŸ” 3    πŸ’¬ 1    πŸ“Œ 0

Don't really know the purpose of starter packs yet, but here's some people who fuzz(ed). Let me know who I forgot

go.bsky.app/EhGFSVj

21.11.2024 19:53 β€” πŸ‘ 25    πŸ” 8    πŸ’¬ 2    πŸ“Œ 0
Preview
Advanced Fuzzing With LibAFL @ Ekoparty 2024 Advanced Fuzzing With LibAFL Dominik Maier Ekoparty 2024-11-15 1

Slides for my @ekoparty talk "Advanced Fuzzing
With LibAFL"
- >
docs.google.com/presentation...

15.11.2024 19:27 β€” πŸ‘ 44    πŸ” 21    πŸ’¬ 0    πŸ“Œ 1
Preview
From Guardian to Gateway: The Hidden Risks of EDR Vulnerabilities Explore the hidden risks within security software as we dive into vulnerabilities of Wazuh, a popular EDR solution. This post reveals how even trusted tools can become targets, highlighting the import...

Just published a blog post about some critical vulnerabilities I discovered in Wazuh last year! The post covers details on how I found these vulnerabilities and highlights why security tools like EDRs can themselves become valuable targets for attackers.
#infosec

neodyme.io/en/blog/wazu...

22.11.2024 16:52 β€” πŸ‘ 8    πŸ” 3    πŸ’¬ 0    πŸ“Œ 0

@d0ntrash is following 20 prominent accounts