0DAY - Pwned since MMXVI

Welcome to my personal site. I’m dhn, Red teamer from 0x41414141 with more than 0x06 years of professional experience. My major focus is on red teaming, exploits development and reverse engineering. Currently, I hold the OSEE, OSCE, OSCP and RTO certification, I <3 coffee and I always try harder. From time to time, I break things and write about it in this blog - future plans also include to write about security-related stuff such as CTF, boot2root or exploit development.

ASUS Aura Sync: Stack-Based Buffer Overflow

0x01: Details Advisory: ASUS Aura Sync 1.07.71 ene.sys Stack-Based Buffer Overflow Advisory ID: DH-ADV-2019-001 CVE ID: CVE-2019-17603 Revision: 1.1 Last Modified: 2019/10/14 Date Reported: 2019/09/08 Advisory Published: 2020/06/01 Affected Software: Asus Aura Sync Remotely Exploitable: No Locally Exploitable: Yes Vendor URL: https://www.asus.com/ 0x02: Vulnerability details The kernel driver ene.sys shipped with ASUS Aura Sync version 1.07.71 contains a vulnerability in the code that handles IOCTL requests. Exploitation of this vulnerability can result in:...

June 1, 2020 · 5 min · dhn

BFS Ekoparty 2019 Exploitation Challenge

TL;DR: In this blog, I’ll explain my approach to solve the BFS exploitation challenge [1]. The challenge was published by BFS to win a ticket for the BFS-IOACTIVE party during the Ekoparty conference. The exploit was developed on Windows 10 x64 1909. 0x01: Introduction A while ago I’ve seen this challenge published by BFS. The aim of this challenge was to bypass Address Space Layout Randomization (ASLR) remotely, get code execution, and execute a calc....

April 30, 2020 · 10 min · dhn

PHP - 'open_basedir' & 'disable_functions' bypass techniques

TL;DR: This blog post will cover some open_basedir bypass techniques and also some disable_functions as bonus. 0x01: Introduction Sometimes it is possible to place a PHP file on a web server during a pentest with the aim to achieve code execution. Unfortunately, or “lucky” for the client, PHP is configured to disabled most of the common techniques to execute system commands. The most common settings are open_basedir and disable_functions. The open_basedir option, that can define in the ‘php....

January 13, 2020 · 23 min · dhn