This post describes an alternative method of exploiting
PwnKit (CVE-2021-4034)
from Qualys without leaving behind logs.
The exploit method described in the Qualys advisory suggests triggering a call
to g_printerr call within the validate_environment_variable function. As a
result…
Read more...
Windows (at times) use the int 0x2e instruction to execute syscalls. The
following image shows a diassembly of the ZwAccessCheck syscall from
ntdll.dll:
Binary Ninja (as of Version 2.4.3050-dev) is not able to lift the int 0x2e
instruction. The int 0x2e branch in ZwAccessCheck i…
Read more...
Binary Ninja is a great platform for automating some reverse engineering tasks,
especially with the headless mode available for commercial licenses. In this
post, we will use Binary Ninja to automate extracting Windows syscall numbers
from ntdll.dll.
binaryninja.open_view is a co…
Read more...
Binary Ninja has experimental support
for writing plugins in Rust and the provided template
is a good starting point for figuring out how to write one.
This post will cover some (hopefully useful) getting started tips. A sample
plugin can be found on GitHub.
rust-toolchain.toml
…
Read more...
All vulnerabilities mentioned in this post were tested against firmware version
V1.0.18, older versions might be affected as well. Affected devices should be
updated to V1.0.23 to resolve the issues.
Proof-of-concept exploits for all vulnerabilities can be found here:
https://git…
Read more...