One Click, One Hash: Unpatched NTLM Coercion in Windows Search URI Handler
Original text by Andrew Schwartz
Key Takeaways
Same bug class. No CVE. No fix. The NTLM coercion primitive in the Windows search: URI handler is technically identical to CVE-2026-33829 in the Snipping Tool. Same severity rating, same mechanism, same potential impact. Microsoft closed it without a CVE or a patch, describing its triage process as…
https://core-jmp.org/2026/06/one-click-one-hash-unpatched-ntlm-coercion-in-windows-search-uri-handler/
Original text by Andrew Schwartz
Key Takeaways
Same bug class. No CVE. No fix. The NTLM coercion primitive in the Windows search: URI handler is technically identical to CVE-2026-33829 in the Snipping Tool. Same severity rating, same mechanism, same potential impact. Microsoft closed it without a CVE or a patch, describing its triage process as…
https://core-jmp.org/2026/06/one-click-one-hash-unpatched-ntlm-coercion-in-windows-search-uri-handler/
🔥13😱5
This media is not supported in your browser
VIEW IN TELEGRAM
Hidden HTTP/2 Bomb
*
FOR
*
WriteUP + LABs + PoCs
*
FOR
nginx, Apache httpd, Microsoft IIS, Envoy, Cloudflare Pingora*
WriteUP + LABs + PoCs
👍9🔥8
Red Team Tactics: Utilizing Syscalls in C# — Writing the Code (Walk-through of Jack Halon’s Direct-Syscall PoC)
Original text: “Red Team Tactics: Utilizing Syscalls in C# – Writing The Code” — Jack Halon, Jack Hacks (16 April 2020, updated). Code blocks and figures below are reproduced verbatim with attribution captions.
Executive Summary
Jack Halon’s second “Utilizing Syscalls in C#” post is the implementation half of the series: take the conceptual understanding of…
https://core-jmp.org/2026/06/red-team-tactics-utilizing-syscalls-in-csharp-writing-the-code/
Original text: “Red Team Tactics: Utilizing Syscalls in C# – Writing The Code” — Jack Halon, Jack Hacks (16 April 2020, updated). Code blocks and figures below are reproduced verbatim with attribution captions.
Executive Summary
Jack Halon’s second “Utilizing Syscalls in C#” post is the implementation half of the series: take the conceptual understanding of…
https://core-jmp.org/2026/06/red-team-tactics-utilizing-syscalls-in-csharp-writing-the-code/
👍4🔥3
Reverse-engineering Valorant’s Vanguard Guarded Regions: PML4 Cloning, CR3 Swaps, and the SwapContext Hook PoC (Walk-through of Xyrem’s Post)
Original text: “In-depth analysis on Valorant’s Guarded Regions” — Xyrem, reversing.info (2023). Code blocks and figures below are reproduced verbatim with attribution captions.
Executive Summary
Riot’s Vanguard anti-cheat keeps a slice of Valorant’s game state in memory that is, from any other process or unprivileged thread’s point of view, simply not mapped. Xyrem’s post walks…
https://core-jmp.org/2026/06/reverse-engineering-valorant-vanguard-guarded-regions-pml4-cr3-swap-context-hook/
Original text: “In-depth analysis on Valorant’s Guarded Regions” — Xyrem, reversing.info (2023). Code blocks and figures below are reproduced verbatim with attribution captions.
Executive Summary
Riot’s Vanguard anti-cheat keeps a slice of Valorant’s game state in memory that is, from any other process or unprivileged thread’s point of view, simply not mapped. Xyrem’s post walks…
https://core-jmp.org/2026/06/reverse-engineering-valorant-vanguard-guarded-regions-pml4-cr3-swap-context-hook/
🔥8👍5
Social Engineering: Attacking Networks with a BadUSB-ETH, Part 2
Original text by CO11ATERAL
A small USB device can cause a lot of damage when it’s physically plugged into a machine. In this scenario, a BadUSB turns a connection into a bridge for capturing authentication data and gaining network access, even on locked systems.
Welcome back, aspiring cyberwarriors!
In Part 1, we set the foundation…
https://core-jmp.org/2026/06/social-engineering-attacking-networks-with-a-badusb-eth-part-2/
Original text by CO11ATERAL
A small USB device can cause a lot of damage when it’s physically plugged into a machine. In this scenario, a BadUSB turns a connection into a bridge for capturing authentication data and gaining network access, even on locked systems.
Welcome back, aspiring cyberwarriors!
In Part 1, we set the foundation…
https://core-jmp.org/2026/06/social-engineering-attacking-networks-with-a-badusb-eth-part-2/
🔥15👍4
Qualcomm QAIC Kernel Driver Page Use-After-Free: From Stale Mmap to Pipe-Buffer-Backed Kernel R/W (Walk-through of Lukas Maar’s Linux v6.18 Exploit)
Original text: “Privilege Escalation via a Page Use-After-Free in Qualcomm’s AI Accelerator Linux Kernel Driver” — Lukas Maar, Security Blog (23 May 2026). Code blocks and figures below are reproduced verbatim with attribution captions.
Executive Summary
Lukas Maar’s post writes up a clean page-level use-after-free in the upstream drivers/accel/qaic Linux kernel driver. The bug is…
https://core-jmp.org/2026/06/qualcomm-qaic-kernel-driver-page-uaf-pipe-buffer-kernel-rw-lukas-maar/
Original text: “Privilege Escalation via a Page Use-After-Free in Qualcomm’s AI Accelerator Linux Kernel Driver” — Lukas Maar, Security Blog (23 May 2026). Code blocks and figures below are reproduced verbatim with attribution captions.
Executive Summary
Lukas Maar’s post writes up a clean page-level use-after-free in the upstream drivers/accel/qaic Linux kernel driver. The bug is…
https://core-jmp.org/2026/06/qualcomm-qaic-kernel-driver-page-uaf-pipe-buffer-kernel-rw-lukas-maar/
😱8🔥3👍1
BOF Cocktails in Cobalt Strike: Instrumenting BOFs with BEACON_INLINE_EXECUTE and Crystal Palace
Original text: “BOF Cocktails in Cobalt Strike” — Rasta Mouse, rastamouse.me (05 Jun 2026). Code blocks and the screenshot below are reproduced verbatim from the source with attribution.
Executive Summary
Post-exploitation Beacon Object Files (BOFs) historically inherited their evasion posture from whatever agent or loader executed them. If the loader took care of unhooking, masking,…
https://core-jmp.org/2026/06/bof-cocktails-cobalt-strike-beacon-inline-execute-crystal-palace/
Original text: “BOF Cocktails in Cobalt Strike” — Rasta Mouse, rastamouse.me (05 Jun 2026). Code blocks and the screenshot below are reproduced verbatim from the source with attribution.
Executive Summary
Post-exploitation Beacon Object Files (BOFs) historically inherited their evasion posture from whatever agent or loader executed them. If the loader took care of unhooking, masking,…
https://core-jmp.org/2026/06/bof-cocktails-cobalt-strike-beacon-inline-execute-crystal-palace/
👍2🔥1
BusyWork: Replacing Sleep with Real Work to Break Behavioral Detection
Original text: “BusyWork: Replacing Sleep with Real Work to Break Behavioral Detection” — patchi.fyi (07 Jun 2026, byline shows only the site handle — author not publicly attributed). Library source: github.com/PatchRequest/BusyWork. Short illustrative code excerpts are reproduced with attribution; longer routines are summarised — consult the upstream repo for full sources.
Executive Summary
A thread…
https://core-jmp.org/2026/06/busywork-replacing-sleep-with-real-work-behavioral-detection/
Original text: “BusyWork: Replacing Sleep with Real Work to Break Behavioral Detection” — patchi.fyi (07 Jun 2026, byline shows only the site handle — author not publicly attributed). Library source: github.com/PatchRequest/BusyWork. Short illustrative code excerpts are reproduced with attribution; longer routines are summarised — consult the upstream repo for full sources.
Executive Summary
A thread…
https://core-jmp.org/2026/06/busywork-replacing-sleep-with-real-work-behavioral-detection/
😱2🔥1
OOBdump: Single-Shot Heap-OOB Exploitation of objdump -g via FR30 Relocations
Original text: “OOBdump: Relocation Oriented Programming” — Calif, blog.calif.io (08 Jun 2026, no individual byline). PoCs and writeups: github.com/califio/publications/…/oobdump. Short illustrative code excerpts and the original article’s diagrams are reproduced with attribution; the prose is paraphrased.
Executive Summary
The Calif team has been quietly collecting trophy bugs in reverse-engineering tooling for a while — IDA…
https://core-jmp.org/2026/06/oobdump-objdump-fr30-relocation-oriented-programming/
Original text: “OOBdump: Relocation Oriented Programming” — Calif, blog.calif.io (08 Jun 2026, no individual byline). PoCs and writeups: github.com/califio/publications/…/oobdump. Short illustrative code excerpts and the original article’s diagrams are reproduced with attribution; the prose is paraphrased.
Executive Summary
The Calif team has been quietly collecting trophy bugs in reverse-engineering tooling for a while — IDA…
https://core-jmp.org/2026/06/oobdump-objdump-fr30-relocation-oriented-programming/
🔥1
Microsoft Defender Now Monitors Remote RPC Activity: What It Catches and How to Hunt
Original text: “Microsoft Defender now monitors RPC activity” — EdanZwick, Microsoft Tech Community / Microsoft Defender for Endpoint Blog (08 Jun 2026). The three KQL hunting queries below are reproduced verbatim with attribution. Prose is paraphrased; for the Defender XDR alert / detection screenshots, see the original post.
Executive Summary
Microsoft has extended Defender’s existing…
https://core-jmp.org/2026/06/microsoft-defender-monitors-remote-rpc-activity/
Original text: “Microsoft Defender now monitors RPC activity” — EdanZwick, Microsoft Tech Community / Microsoft Defender for Endpoint Blog (08 Jun 2026). The three KQL hunting queries below are reproduced verbatim with attribution. Prose is paraphrased; for the Defender XDR alert / detection screenshots, see the original post.
Executive Summary
Microsoft has extended Defender’s existing…
https://core-jmp.org/2026/06/microsoft-defender-monitors-remote-rpc-activity/
👍1🔥1
Client-Side Container Attack: DLL Sideloading wab.exe via Email Archive Delivery
Original text: “Initial access. Client side container attack” — Leigh Gilbert, Exploitz (exploitz.ca, June 2026). The diagrams below are reproduced with attribution; prose is paraphrased. MITRE ATT&CK reference: T1574.001 — DLL Search Order Hijacking.
Executive Summary
Leigh Gilbert’s walkthrough chains together a long-known but still effective initial-access pattern: ship a signed Microsoft binary that has…
https://core-jmp.org/2026/06/client-side-container-attack-dll-sideloading-wab-exe-email-archive/
Original text: “Initial access. Client side container attack” — Leigh Gilbert, Exploitz (exploitz.ca, June 2026). The diagrams below are reproduced with attribution; prose is paraphrased. MITRE ATT&CK reference: T1574.001 — DLL Search Order Hijacking.
Executive Summary
Leigh Gilbert’s walkthrough chains together a long-known but still effective initial-access pattern: ship a signed Microsoft binary that has…
https://core-jmp.org/2026/06/client-side-container-attack-dll-sideloading-wab-exe-email-archive/
🔥2
Patching the Windows Kernel via BYOVD: ThrottleStop.sys, MmMapIoSpace and the NtAddAtom Trampoline
Original text: “Whoops! I did it again. I patched Windows Kernel at Milan0day 2026” — zer0matt, zer0matt’s blog (29 May 2026). PoC: github.com/zer0matt/Milan0day2026. Diagrams below are reproduced from the original with attribution; prose is paraphrased.
Executive Summary
zer0matt’s Milan0day 2026 talk and accompanying writeup demonstrate a clean Bring Your Own Vulnerable Driver (BYOVD) chain that…
https://core-jmp.org/2026/06/patching-windows-kernel-byovd-throttlestop-mmmapiospace-ntaddatom/
Original text: “Whoops! I did it again. I patched Windows Kernel at Milan0day 2026” — zer0matt, zer0matt’s blog (29 May 2026). PoC: github.com/zer0matt/Milan0day2026. Diagrams below are reproduced from the original with attribution; prose is paraphrased.
Executive Summary
zer0matt’s Milan0day 2026 talk and accompanying writeup demonstrate a clean Bring Your Own Vulnerable Driver (BYOVD) chain that…
https://core-jmp.org/2026/06/patching-windows-kernel-byovd-throttlestop-mmmapiospace-ntaddatom/
👍2🔥2
Covert Kernel/User Communication Channels on Windows: Rootkits, Game Cheats, and Detection
Original text: “Covert Kernel/User Communication Channels on Windows: Rootkits, Game Cheats, and Detection” — kernullist, Kernullist’s Blog (Jun 10, 2026). Classification tables, ASCII flow diagrams, and C-language structure declarations below are reproduced verbatim with attribution captions.
Executive Summary
A modern Windows kernel-assisted threat is almost never a single user-mode binary doing all the work. It…
https://core-jmp.org/2026/06/covert-kernel-user-communication-channels-windows-rootkits-cheats-detection/
Original text: “Covert Kernel/User Communication Channels on Windows: Rootkits, Game Cheats, and Detection” — kernullist, Kernullist’s Blog (Jun 10, 2026). Classification tables, ASCII flow diagrams, and C-language structure declarations below are reproduced verbatim with attribution captions.
Executive Summary
A modern Windows kernel-assisted threat is almost never a single user-mode binary doing all the work. It…
https://core-jmp.org/2026/06/covert-kernel-user-communication-channels-windows-rootkits-cheats-detection/
🔥3😱1