Sign in Subscribe
5 min read

exploits.club Weekly Newsletter 53 - kCTF Wins, 2025 Learning Resources, Windows Kernel Bugs, and More

exploits.club Weekly Newsletter 53 - kCTF Wins, 2025 Learning Resources, Windows Kernel Bugs, and More

Happy New Year exploits.club family! πŸŽ‰ May your 2025 be filled with more bugs and exploits...and stuff like love and friendship or whatever. Annnnnnyways πŸ‘‡

In Case You Missed It...

Learn Something New In 2025:

It's resolution season...and this is the year you are gonna stick to it. Here are some learning resources to help you on your way.

Resources And Write-Ups From This Week:

  • All I Want for Christmas is a CVE-2024-30085 Exploit - Didn't get what you wanted for Christmas? Don't worry, Star Labs did and they are willing to share. In this new blog post, the team walks through the exploitation of CVE-2024-30085, a heap overflow in the Windows Cloud Mini Filter Driver. The post starts with bindiffing the patch and understanding the vulnerability. From there it looks at how to actually reach the buggy code path in order to create a trigger PoC. We then shift to exploitation, where the strategy is outlined in a super simple...17 steps. Essentially, the bug can be used to get a kernel leak. From there, it can be triggered again to get arb read/write anddd its game over.
  • 0x03 - Approaching the Modern Windows Kernel Heap - A few weeks ago, we covered part 0 in this "Introduction to Windows Kernel Exploitation" blog series from @wetw0rk_bot. Since then, three additional entries have been released, each of which build slightly on the previous. In 0x01, we take a look at how the stack overflow from 0x00 would work on a more modern Windows system, specifically focusing on the mitigations and how to bypass them. Part 0x02 then looks at a UAF and its exploitation on an older Windows 7 system. And in the most recent release, part 3 looks at that same UAF on a Windows 11 system, specifically focusing on how the allocators work and the role they play when working through exploit dev.
  • kernelCTF VSock 0-day: CVE-2024-50264 - Looking for a post that covers the current meta of Linux exploit dev? Well this new write-up from @v4bel and @_qwerty_po covering their bug and exploit from kCTF hits all the good stuff. The bug itself is a dangling pointer, which is later derefed and written to, giving a UAF write. The bug is triggered via a race, which has a realtively complex flow and is nicely illustrated in a tweeted diagram. From there, the post jumps into exploit dev, which is one helping of cross cache attack with SLUBStick, followed by a side of arbitrary write with dirty pagetable, and topped off with a desert of BFP JIT spray. Get you some of that.
  • Having Fun with Flare-on Using Time-Travel Debugging (TTD) - Binary Ninja took to their blog this week to demonstrate how time-travel debugging (TTD) can be used to help solve Flare-On 2024's 9th challenge. Specifically, the post highlights how "Binary Ninja’s debugger integrates WinDbg TTD support". It starts with an overview of the challenge, walking through an initial analysis from the entry point. It then provides a practical overview of how to record and replay TTD traces, and how to use the debugger data model and write queries. The post doesn't make it all the way to outright solving the 9th challenge, but it does an effective job of showing how understanding of the challenge and the obfuscation employed by the binary can be better understood with TTD.
  • LDAPNightmare: SafeBreach Labs Publishes First Proof-of-Concept Exploit for CVE-2024-49112 - SafeBreach released a post to demonstrate and deconstruct their crash PoC for CVE-2024-49112. The post starts with a demonstration of the capability, as well as a high level overview of the vulnerability and trigger itself. Essentially, the bug stems from a mishandling of the CLDAP referral response packet, which an attacker can send to a victim Windows Server using Windows Lightweight Directory Access Protocol (LDAP). The post then does a technical deep dive, focusing specifically on the LDAP protocol, and demonstrating how to trigger a remote LDAP request and send a malicious LDAP response. The team is able to trigger the int overflow which subsequently causes a crash. The post wraps with the belief that this to be fully exploitable for RCE as Microsoft's advisory claims, and they plan to continue working on it.
  • Citrix Denial of Service: Analysis of CVE-2024-8534 - It wouldn't be a complete newsletter without some good ole enterprise tech. Luckily for us, AssetNote decided to analyze CVE-2024-8534, a DOS bug for Citrix NetScaler. The team wanted to understand the bug better, and see if it was potentially a corruption which could be taken further than Citrix's advisory lead on. The vulnerability is in the RDP Handler, and the team was able to quickly spin up a python client to interact with it. From there, they fuzzed the packet header, which resulted in a crash similar to the CVE's description. The team then worked to set-up a debugger and attempted to debug the crash. Unfortunately, given time constraints, they were only able to put together a handful of pieces of the puzzle and did not get a full RCA completed. However, their were a few notable takeaways, and the post wraps with the overall learnings.

Interesting Job Postings:

Wrapping Up...


As always, thanks for stopping by. We here at the club are always trying to improve so if you have comments, questions, or suggestions, feel free to shoot us an email - info@exploits.club.

Follow us on X - we occasionally Tweet poor attempts at memes

Don't forget to check out https://bug.directory!

Your second brain - strictly for bugs

We sell mugs, and personally we have seen a drastic uptick in bugs since using ours. Get yours on at https://shop.exploits.club.

Feel free to join the exploits.club Discord server here πŸ‘‰ https://discord.gg/2dxN2Gtgpx

Same time next week? See you then πŸ΄β€β˜ οΈ

Published by:

exploits.club