<?xml version="1.0" encoding="UTF-8"?><rss version="2.0"><channel><title>R3zk0n</title><description>Bug hunter and exploiter in web security, *OSX, and mobile applications.</description><link>https://x64.sh/</link><item><title>Deploy and Destroy Featuring Certificates</title><link>https://x64.sh/posts/deploy-and-destroy-featuring-certificates/</link><guid isPermaLink="true">https://x64.sh/posts/deploy-and-destroy-featuring-certificates/</guid><description>Setting up devices for security research deployment often takes longer than the testing itself. Notes and tooling for standing up (and tearing down) an Android AVD each engagement — including installing the Burp CA on Android 14+.</description><pubDate>Thu, 21 Nov 2024 00:00:00 GMT</pubDate><category>Pentesting</category><category>Mobile</category></item><item><title>Misconfigured Microsoft Content Provider</title><link>https://x64.sh/posts/misconfigured-microsoft-content-provider/</link><guid isPermaLink="true">https://x64.sh/posts/misconfigured-microsoft-content-provider/</guid><description>The misconfigured content provider bug in com.microsoft.launcher is disclosing issues with the proper functioning of this Android launcher application.</description><pubDate>Sun, 15 Oct 2023 00:00:00 GMT</pubDate><category>Vuln Research</category><category>Mobile</category></item><item><title>ServiceNow Insecure Access Control To Full Admin Takeover</title><link>https://x64.sh/posts/servicenow-access-control-admin-takeover/</link><guid isPermaLink="true">https://x64.sh/posts/servicenow-access-control-admin-takeover/</guid><description>An XHR request to xmlhttp.do with the &quot;ChartDataProcessor&quot; processor in the POST request allows the enumeration of the ServiceNow GQL database, including read access to the `sys_user_session` and `sys_user_token` tables, which provide the necessary information to generate valid `glide_user_activity` and `glide_session_store` cookies, and the X-Usertoken header to allow privilege escalation to any previously authenticated user..</description><pubDate>Mon, 26 Jun 2023 00:00:00 GMT</pubDate><category>Vuln Research</category><category>Web</category></item><item><title>JetEngine &lt; 3.1.3.1 - Author+ Remote Code Execution</title><link>https://x64.sh/posts/jetengine-author-rce/</link><guid isPermaLink="true">https://x64.sh/posts/jetengine-author-rce/</guid><description>The plugin includes uploaded files without adequately ensuring that they are not executable, leading to a remote code execution vulnerability.</description><pubDate>Mon, 20 Mar 2023 00:00:00 GMT</pubDate><category>Vuln Research</category><category>Web</category></item><item><title>SwitchResX Vulnerability</title><link>https://x64.sh/posts/switchresx-vulnerability/</link><guid isPermaLink="true">https://x64.sh/posts/switchresx-vulnerability/</guid><description>SwitchResX installs a privileged helper tool that runs as root but fails to validate incoming XPC connections. This post walks through decompiling the helper and abusing its exported moveFiles method to achieve local privilege escalation.</description><pubDate>Mon, 31 Oct 2022 00:00:00 GMT</pubDate><category>Vuln Research</category><category>macOS</category></item><item><title>Improper access control in Factory Camera</title><link>https://x64.sh/posts/improper-access-control-factory-camera/</link><guid isPermaLink="true">https://x64.sh/posts/improper-access-control-factory-camera/</guid><description>ACL issue leading to system privileges.</description><pubDate>Mon, 01 Nov 2021 00:00:00 GMT</pubDate><category>Vuln Research</category><category>Mobile</category></item><item><title>The NTLM Exchange</title><link>https://x64.sh/posts/ntlm-exchange/</link><guid isPermaLink="true">https://x64.sh/posts/ntlm-exchange/</guid><description>Leaking FQDN information from Microsoft Exchange by parsing the AV_PAIR structures returned in an NTLM challenge over RPC-over-HTTP.</description><pubDate>Sun, 21 Mar 2021 00:00:00 GMT</pubDate><category>Pentesting</category><category>Web</category></item><item><title>XSS Encoding Generator</title><link>https://x64.sh/posts/xss-encoding-generator/</link><guid isPermaLink="true">https://x64.sh/posts/xss-encoding-generator/</guid><description>A short Python tool that generates XSS payloads in several encodings — HTML entities, unicode escapes, and URL encoding — to help bypass WAFs during testing.</description><pubDate>Tue, 19 Jan 2021 00:00:00 GMT</pubDate><category>Tooling</category><category>Web</category></item><item><title>Enter The Realm</title><link>https://x64.sh/posts/enter-the-realm/</link><guid isPermaLink="true">https://x64.sh/posts/enter-the-realm/</guid><description>Using Frida to hook the RealmConfiguration function on Android, an encrypted Realm database&apos;s encryption key can be extracted at runtime. The recovered key lets you decrypt and read the database contents, demonstrated against both a test app and the Element messenger.</description><pubDate>Mon, 21 Dec 2020 00:00:00 GMT</pubDate><category>Pentesting</category><category>Mobile</category></item><item><title>BadBinder Emulator Root</title><link>https://x64.sh/posts/badbinder-emulator-root/</link><guid isPermaLink="true">https://x64.sh/posts/badbinder-emulator-root/</guid><description>During a mobile audit engagement the target application enforced root and emulator detection. This post walks through leveraging the reintroduced BadBinder (CVE-2019-2215) kernel bug to gain temporary root on the Android Studio emulator and bypass those protections.</description><pubDate>Sat, 08 Aug 2020 00:00:00 GMT</pubDate><category>Pentesting</category><category>Mobile</category></item><item><title>Juno XSS Challenge</title><link>https://x64.sh/posts/junos-xss-challenge/</link><guid isPermaLink="true">https://x64.sh/posts/junos-xss-challenge/</guid><description>Breaking down a neat zero-interaction XSS challenge payload from @junorouse — abusing a URI scheme, a name attribute, onfocus, and a domain + URL-hash bypass to reach execution.</description><pubDate>Sat, 01 Jun 2019 00:00:00 GMT</pubDate><category>Pentesting</category><category>Web</category></item><item><title>Frida and Objection</title><link>https://x64.sh/posts/frida-and-objection/</link><guid isPermaLink="true">https://x64.sh/posts/frida-and-objection/</guid><description>Frida is a dynamic instrumentation toolkit that lets you introspect running applications and inject JavaScript to hook functions and APIs. This post covers using Frida on mobile devices along with Objection, a dynamic instrumentation framework built on top of it.</description><pubDate>Sat, 01 Jun 2019 00:00:00 GMT</pubDate><category>Pentesting</category><category>Mobile</category></item></channel></rss>