Background Someone I know once told me about a device they purchased at a county fair. It’s a small box that you plug into your TV and hook up to your Internet connection. It’s basically a digital content streaming box (like a Roku), except the seller claimed that you could get any movie or TV show you wanted for free. This supposedly included live television and films that were still in theaters.

CVE-2023-40477 I’ve recently been looking at N-day vulnerabilities in Windows software in an attempt to hone my reverse engineering and exploit development skills. Last month, I read about an interesting bug in WinRAR version 6.22 and below which could result in remote code execution. This bug was assigned CVE-2023-40477. It was discovered by Zero Day Initiative. When I started, all the information I had to go on came from the ZDI page:

Intro After recently finishing the Offensive Security OSEE exam, I wanted to start looking at some real-world vulnerabilities in Windows. I had hoped I might find a recently patched vulnerability with an available PoC that could simply trigger the bug. If a PoC wasn’t available, then maybe a blog post somewhere doing a root cause analysis so I could build my own PoC to trigger the bug, and then later attempt to weaponize it.

Updates When I left off in my last post, I had only just started working on the OSEE course material at home by myself. Now a whopping nine months later, I’m finally done with the training. It’s been a long road and a lot of work, but it was worth it! Best Laid Plans My original plan when I got back from Blackhat and Defcon was to work on one module per month leading up to the exam.

Background Check Point Research recently disclosed three security bugs in the Microsoft Windows MSMQ service. The most critical bug disclosed was CVE-2023-21554. They’ve named this bug QueueJumper and claim that it can result in unauthenticated remote code execution. Recently, a few coworkers discovered some vulnerable systems on their network penetration tests and were trying to find public exploits for this bug. The best they were able to find was this PoC on Github.