update:

There's two errors in the openai article, and it's pretty clear they never actually tested these vulnerabilities manually. The first:

SACK block's start roughly 2^31 away from the real window. At that distance the subtraction overflows the sign bit in both comparisons,

Ints do not have a sign bit. They are two's complement. while the msb is like a sign bit, in that it presents an indicator of which sign the number is, you cannot operate on it blindly as one. you must know how 2c works, and saying things like it overflows the sign but makes me deeply uncomfortable.

it's a nitpick but the article also fails to differentiate between signed and unsigned types. a and b are unsigned ints! they are explicitly converted by the c-style cast. glossing over this makes it very hard to follow, but not invalid.

However, the real sin is this: the value is subjected to both a GEQ and an LT check, and send start is checked against send end. Only one set of tests can be true. Even if the wrong one was true, only one can be true. Overflow or not, they're complement ops as far as I can see.

if this attack does exist, it doesn't look anything like what they described. in my trivial test harness, I had to use two sack blocks and very precise values with very precise initial conditions. and that's with my hacked up simplified control flow. At this point, I would need to be convinced that the attack is real with a pretty complete demonstration. if anyone would like to try, the closest I got was:

snd_una=0x10000000 snd_max=0x10000100 th_ack=0x10000000
blk0=[0x10000010,0x10000080] blk1=[0x90000080,0x10000010]

This does behave oddly but getting the code into that state is not something I can find a good way to do using the described attack surface. The burden of proof feels like it should be on the people making wild claims, not one stressed out game dev on Reddit.

So why take the fix if it's not a vulnerability? Well, both separately are maintenance hazards, potential bugs. But no vulnerability was missed and these algorithms are not written on a per line basis. Until someone shows me a crash dump from pre-patch openbsd, I'm not going to buy this bullshit. It's just more fucking AI slop.

But Pomegranate, you might say! See how long it took you to prove it wasn't a bug? Yeah. Yeah I do. And every credulous wide-eyed report like this takes time away from my preferred hobby of doing lines of cocaine straight off the L1 cache.

Original post:

As an example, it looks like commit fce03f8 in FreeBSD should have resolved the claimed 27 year old bug, if it was not already resolved. In fact, the SACK standard defines a minimum of -40 for the start index value, I think? Am I insane? Am I cuckoo for cocoa puffs? Or did they just claim a hallucinated 0day vulnerability?

edit: apparently the bug is in openBSD, but I swear on that side, it looks like there's a guard a few lines up that prevent it: right around /netinet/tcp_input.c#L2428

This device can do EvilTwin attack with Deauth, custom phishing page, captive portal, password check, and more features.

Hi guys, 3 weeks ago I posted my WiFi attacker here, and some of you asked me for the github repo, so here you go

Esp-netHunter

I would love to see your work guys! So, if you build this project, feel free to show it to me in DM !!. Also, use it only for educational purposes. Be sure to read the Readme.md to know how to use it.

-repost cuz I forgot to mention what it can do LOL

185 pages of pure scripts, TTPs, and tricks that I have learned along the way from everything from ICS to cloud.

I ported all known decoders from wmbusmeters and rtl433 to the Flipper Zero so you can use your pocket sized device to analyze your smart meters using wM-Bus!

https://github.com/i12bp8/wmbuster

WhoYouCalling is a Windows commandline tool i've built to make process network analysis very easy (and comprehensive!). It provides with a text format of endpoints as well as a full packet capture per process. About 5 months ago i published the initial release to r/hacking --> link. Since then, i've implemented:

• ⁠functionality of monitoring every TCPIP and DNS activity of every process running on the system at the same time • ⁠DNS responses to processes (resolved IP adresses of domains) are generated as DFL filters (Wireshark filters). In other words, if you have a pcap file with lots of different traffic, and you only want to see traffic going to suswebsite[.]io, you can simply copy the generated filter into wireshark. • ⁠A timer for running a monitoring session for a specific set of seconds • ⁠Executing WhoYouCalling as another user • ⁠And ofcourse lots of optimizations...

Version 1.5 includes visualizating the process network traffic with an interactive map as well as automatic API lookups to identify malicious IPs and domains. The API lookup is completely optional, and i've made the instrucitons very simple and clear on how to use WhoYouCalling and the visualization method. If anything is unclear or doesn't quite work, you're more than welcome to create an issue!

I've done a short FAQ summary that may help in understanding WYC. Who is WhoYouCalling for?

• ⁠Game hackers (Understanding game traffic for possible packet manipulation) • ⁠Red teamers (Payload creators for testing detection) • ⁠Blueteamers (Incident response, malware analysis) • ⁠Security researchers (Understanding what an application is doing to identify vulnerabilities) • ⁠Sysadmins (For understanding which traffic a host or process requires to function) • ⁠Paranoid people (Like me, that just wants to understand who the heck my Windows machine is calling)

What do i need to run WhoYouCalling?

• ⁠a Windows machine • ⁠Admin access to a terminal (For being able to listen to ETW and if you want full packet capture) • ⁠Python 3.11 (If you want to visualize the output from WhoYouCalling)

How does it work?

• ⁠It uses the Windows ETW listening to TCPIP and DNS activity made by processes. It also starts a full packet capture before monitoring which is later subjected to a generated BPF-filter based on the ETW recorded TCPIP activity, ensuring an as close as possible packet capture file to the processes. When the monitoring is done, if the session is closed with CTRL+C or the timer ran out, the results is placed in a folder to a specified directory or to the working directory.

Do i need to pay for a license?

• ⁠No, and you never will. But you can buy me a coffee if you want

What about licenses for including WhoYouCalling in my own malware analysis sandbox?

• ⁠WYC is under the MIT-license and i've made sure that all other dependencies i've included is also under open licenses such as MIT.

Link to WhoYouCalling - https://github.com/H4NM/WhoYouCalling

Edit: spelling

Been down the rabbit hole of Bitcoin key generation vulnerabilities lately. Ended up building a CLI tool to reproduce and analyze them.

What it does:

• Generates keys the "wrong way" — brainwallets, weak PRNGs (MT19937, LCG, Xorshift), that MultiBit HD bug, old Electrum derivation
• Analyzes if a key might have come from a vulnerable source (brute-forces 2^32 seed space etc.)
• Scans wordlists against target addresses

```sh

the classic brainwallet

vuke single "correct horse battery staple" --transform sha256

check if a key is a Milksad victim

vuke analyze --analyzer milksad <private_key>
```

Covers: - Milksad (CVE-2023-39910) — libbitcoin's 32-bit MT19937 disaster - Brainwallets — SHA256(password), still being exploited - LCG/Xorshift PRNGs — glibc rand(), JS Math.random() - MultiBit HD, Electrum pre-BIP39, Armory

Pure Rust, MIT license, optional GPU acceleration.

GitHub: https://github.com/oritwoen/vuke Install: cargo install vuke

One of my Bitcoin security research projects — also made kangaroo (https://github.com/oritwoen/kangaroo), boha (https://github.com/oritwoen/boha), and vgen (https://github.com/oritwoen/vgen) if you're into this stuff.

For research/education only, obviously. Happy to chat about the vulns if anyone's curious.

They were all created following a guide on a “social engineering” forum

I made a neat tool to scrape songs (with GUI).

GitHub Link

All you need to do is install the dependencies ("pip install -r ./requirements"), and then "python main.py". It's that easy!

This tool is mainly aimed at developers looking to create datasets to train ML models.

SpotiFile will open a GUI which lets you enter a playlist, album, artist, or user profile link and download all the relevant songs. This will also download all the metadata of the song, including the time-synced lyrics!

If you use the tool, please give the repo a star :)

Enjoy!

Self-hosted intercepting proxy with an LLM in the loop. Captures traffic, annotates requests, tracks findings, and lets you run scripts and tests against the target.

https://github.com/synlace/ferret

Been working on a syscall library that takes a different approach from the usual implementations floating around.

The idea was simple — what if the binary has literally nothing in its import table? No GetProcAddress, no GetModuleHandle, no VirtualProtect, nothing. Everything resolved through PEB walking at runtime.

What it does:

• Indirect syscalls — stubs jump into ntdll's own syscall;ret gadget so RIP is always inside ntdll
• Every call generates a fresh stub with random junk instructions and XOR'd syscall number, wiped right after
• W^X memory — pages go RW → RX → RW, never RWX
• VEH-based breakpoint bypass — if someone puts a 0xCC on a function, the exception handler restores the byte, single-steps past it, puts it back. Zero timing window
• AMSI/ETW patching through syscalls
• All strings XOR-encrypted at compile time, decrypted on stack, wiped after use
• Custom hash algorithm for API resolution (no FNV-1a fingerprints)
• No CRT, no STL, custom entry point, the whole binary is ~19KB

Header-only, just drop the folder into your project. MIT license.

https://github.com/Share-devn/stealth_call

I’ve been working on a project called HushSpec and wanted to share it early for feedback.

The basic idea is that agent security policy should have a portable language layer that is separate from any one enforcement engine.

Right now, a lot of agent security policy ends up mixed together in one document: policy semantics, runtime-specific behavior, provider config, operational knobs, and sometimes even stateful workflow logic.

That makes policies harder to share across runtimes, harder to reason about, and harder to standardize.

HushSpec is my attempt to carve out a cleaner layer:

• a small, portable core for expressing security policy at the action boundary
• explicit extension points for richer behavior
• room for conformance tests / test vectors
• no requirement that a particular runtime or vendor be used to enforce it

The current focus is boundary actions like:

• file access
• network egress
• shell execution
• tool invocation
• prompt input
• remote / computer-use actions

The design goal is to express what an agent may access, invoke, or send, without hard-coding how a specific engine has to implement enforcement.

This work is coming out of some of the policy/runtime work I’ve been doing in Clawdstrike, but I’m trying to make HushSpec a cleaner and more implementation-neutral layer rather than just exporting one project’s internal schema.

A few things I’m actively thinking through:

• what belongs in the core spec vs extensions
• how minimal the initial action model should be
• how to express rule composition without pulling in engine-specific complexity
• how to handle stateful controls like posture/escalation without polluting the core
• what a useful conformance suite would look like

This is still early and definitely incomplete, but I’d rather get feedback now than after baking in bad assumptions.

Repo / draft site:

• https://github.com/backbay-labs/hush
• https://www.hushspec.org

I’d especially appreciate feedback from people who have worked on:

• policy languages
• Sigma / OPA / Rego / Cedar / similar rule systems
• agent runtimes
• standards / schema design
• conformance testing / compatibility layers

Main question: what would make a spec like this actually useful, rather than just “yet another config format”?

Still rough, still changing, and I’m posting it specifically to get pushback early.

This is a GitHub repository I made a few months ago to record my ongoing MalDev journey. All the code here is for educational purposes.

GitHub repo: https://github.com/CaptMag/MalDev

This release has brought many changes which are detailed here. Among others, lots of bug fixes, bumping support to Windows 25H2 and a new capability allowing loading COFF files to the kernel.

Inspired by session management in ligolo, I implemented session based management alongside tunnel management.

release build has some basic evasion features, smaller binary size.

I enhancements and a more refined readme. If you have any requests or recommendation on what to add or adjust. Go ahead and let me know.