Ayrx's Blog

This post describes an alternative method of exploiting PwnKit (CVE-2021-4034) from Qualys without leaving behind logs. The exploit method described in the Qualys advisory suggests triggering a call to g_printerr call within the validate_environment_variable function. As a result…

Windows (at times) use the int 0x2e instruction to execute syscalls. The following image shows a diassembly of the ZwAccessCheck syscall from ntdll.dll: Binary Ninja (as of Version 2.4.3050-dev) is not able to lift the int 0x2e instruction. The int 0x2e branch in ZwAccessCheck i…

Binary Ninja is a great platform for automating some reverse engineering tasks, especially with the headless mode available for commercial licenses. In this post, we will use Binary Ninja to automate extracting Windows syscall numbers from ntdll.dll. binaryninja.open_view is a co…

Binary Ninja has experimental support for writing plugins in Rust and the provided template is a good starting point for figuring out how to write one. This post will cover some (hopefully useful) getting started tips. A sample plugin can be found on GitHub. rust-toolchain.toml …

All vulnerabilities mentioned in this post were tested against firmware version V1.0.18, older versions might be affected as well. Affected devices should be updated to V1.0.23 to resolve the issues. Proof-of-concept exploits for all vulnerabilities can be found here: https://git…