Making the ZDI localhost escape work from EPM!
I am ofcourse refering to this bug: https://community.saas.hpe.com/t5/Security-Research/There-s-No-Place-Like-Localhost-A-Welcoming-Front-Door-To-Medium/ba-p/274800#.WUFBAmjyiUk Microsoft never patched this because it did not work from EPM, only PM. While m...

Localhost abuse!
(These 3 all abuse the addon installer, its basically the code from my previous blogpost with a few modifications ;) ) Add this to an HTML file: <!-- saved from url=(0016)http://localhost --> And open it in IE11! This however will only work if your html fil...

One of my first sandbox escapes and bugs
Below is one of my first sandbox escapes, and my entry into vulnerability research. My first bugs relied heavily on the work that forshaw did (my later ones deviated from that..but we all have to start somewhere). I just copy pasted the original report with...

Abusing AV software for arbitrary deletion
Here is just an idea that I had been playing around with a while ago. The issue with this is that it would potentially work from a guest account. This can lead to a whole range of issues, and in the absolute worst case, full LPE. (since we basically can del...