Advanced Search
Search Results
41 total results found
SAN660以及GXPN感受与心得,以及与OSED的对比
说起来,已经挺久没有写关于培训课程与认证的心得了,即便是通过 OSCE3 之后。在过去几天,我通过了 SEC660 课程所对应的认证 GXPN 的考试,因为我也是第一次接触 SANS 的课程与 GIAC 的认证,因此发表一些心得与感受,以及与 OSED 的对比。 课程基本信息 SEC660 (https://www.sans.org/cyber-security-courses/advanced-penetration-testing-exploits-ethical-hacking/)是 SANS ...
SEC660/GXPN Review And The Comparison With OSED
Hi folks, it's been quite a while since I last wrote review on training courses and certifications, even after passing OSCE3. In the past few days, I passed the GXPN exam, which is the certification exam of the SEC660 course. Since this was my first experience...
Offsec OSMR课程以及认证心得分享
大家好,最近几个月以来我在网络安全社区不是很活跃,因为我在学习 Offsec 的 OSMR 课程。这是一门有关 Mac OS 内部原理,以及漏洞利用开发的课程。课程的体量十分庞大,远远超出了我的预期,内容对于我来说也是十分的新鲜,这使得我投入较多的时间。幸运的是,最近我通过了 OSMR 的考试,期间的努力学习得到了回报。 相对于 Offsec 的其他认证,例如 OSCP/OSEP/OSWE,OSMR 较新,认证持有者较少,因此相关的心得与分享也比较少。尤其是中文的 OSMR 心得,我目前尚未遇见,那么,我希望...
Offsec OSMR Course and Exam Review
Hello, in the past few months, I haven't been very active in the cyber security community because I’ve been studying Offsec’s OSMR course. This course focuses on macOS internals and exploit development. The course is far more extensive than I had anticipated, ...
Adobe-Downloader <=1.3.1 Local Privilege Escalation
CVE-2024-12786 XPC Local Privilege Escalation Description The Adobe-Downloader application is vulnerable to a local privilege escalation due to insecure implementation of its XPC service. The application registers a Mach service under the name com.x1a0he.ma...
Stats < v2.11.22 Local Privilege Escalation
CVE-2025-0396 Description The Stats application is vulnerable to a local privilege escalation due to the insecure implementation of its XPC service. The application registers a Mach service under the name eu.exelban.Stats.SMC.Helper. The associated binary, e...
AlDente-Charge-Limiter <1.30 Unauthorized Privileged Hardware Operations
CVE-2025-1078 Description The AlDente-Charge-Limiter application is vulnerable to unauthorized privileged hardware operations due to the insecure implementation of its XPC service. The application registers a Mach service under the name com.davidwernhart....
My Mac App Vulnerability Journey: Strategies and Precision Hunting Techniques
Background Today, I would like to share my journey in macOS application vulnerability research. Previously, I disclosed new CVEs in popular macOS software, and some people have asked me to write a detailed write-up. So, let’s get started. At the end of 2...
MiniTool Partition Wizard 13.6 Kernel Driver pwdrvio.sys Local Privilege Escalation
Summary MiniTool Partition Wizard DEMO 13.6 installs the signed kernel driver pwdrvio.sys. The driver exposes \\.\PartitionWizardDiskAccesser\<disk_number> and forwards read, write, and disk IOCTL requests to the lower disk device from kernel context. In the...
DVDFab Virtual Drive Kernel Driver dvdfabio.sys 1.5.1.0 Local Privilege Escalation
CVE-2026-12217 Summary DVDFab Virtual Drive 2.0.0.5 ships the signed kernel driver dvdfabio.sys. The driver exposes \\.\DVDFabIO and implements registry proxy IOCTLs that open or create caller-selected native registry paths from kernel context. The returned ...
AOMEI Partition Assistant 10.10.1 Kernel Driver ampa10.sys Local Privilege Escalation
CVE-2026-12778 Summary ampa10.sys, shipped with AOMEI Partition Assistant Standard 10.10.1, exposes the \\.\wowrt device to a standard local user and forwards file read/write requests to the underlying disk stack. The forwarded requests are issued from kernel...
AOMEI Dynamic Disk Manager 10.10.1 Kernel Driver ddmdrv.sys Local Privilege Escalation
CVE-2026-12779 Summary ddmdrv.sys, shipped with AOMEI Partition Assistant Standard 10.10.1, exposes the \\.\ddmwrt device to a standard local user and forwards raw read/write requests to the underlying disk stack. The forwarded requests are issued by the kern...
AOMEI Backupper 8.3.0 Kernel Driver amwrtdrv.sys Local Privilege Escalation
CVE-2026-12780 Summary AOMEI Backupper 8.3.0 installs and auto-loads the signed kernel driver amwrtdrv.sys. The driver exposes a user-reachable raw disk forwarding interface at \\.\amwrtdrv\Partition0\DISK<N>. A standard, non-administrative user can use this...
QILING Disk Master Kernel Driver diskbckp.sys 6, 0, 0, 0 Local Privilege Escalation
Summary QILING Disk Master Free ships a kernel driver, diskbckp.sys, that exposes the device \\.\diskbakdrv1 to a standard local user. A non-administrative user can open that device, attach a disk context, and issue an IOCTL that writes caller-controlled byte...
EaseUS Partition Master 14.5 Kernel Driver epmntdrv.sys Local Privilege Escalation
CVE-2026-12781 Summary EaseUS Partition Master installs and loads epmntdrv.sys, which exposes a legacy device path of the form \\.\EPMNTDRV\<disk>. A standard local user can open this device, bind it to a caller-selected physical disk, and issue raw reads and...
EaseUS Partition Master 14.5 Kernel Driver EUEDKEPM.sys Local Privilege Escalation
CVE-2026-12782 Summary EaseUS Partition Master installs EUEDKEPM.sys, a raw disk forwarding kernel driver that exposes a device path of the form \\.\EUEDKEPM\<disk>. A standard local user can open this device and issue raw reads and writes against a caller-se...
IM-Magic Partition Resizer 7.9.0 Kernel Driver MDA_NTDRV.sys Local Privilege Escalation
CVE-2026-12784 Summary IM-Magic Partition Resizer Free Portable includes MDA_NTDRV.sys, a raw disk forwarding driver that exposes \\.\MDA_NTDRV\<disk>. A standard local user can open this device and perform raw reads and writes against a caller-selected physi...
UltraISO Premium 9.76 Kernel Driver bootpt64.sys Local Privilege Escalation
CVE-2026-12786 Summary UltraISO Premium Edition 9.76 ships the signed kernel driver bootpt64.sys. The driver exposes \\.\BootPart to standard users and allows a caller to mount a selected physical disk range through IOCTL 0x7F300. After the mount succeeds, no...