PwnKit Exploit Without Logs (CVE-2021-4034)

This post describes an alternative method of exploiting PwnKit (CVE-2021-4034) from Qualys without leaving behind logs. The exploit method described in the Qualys advisory suggests triggering a call to g_printerr call within the validate_environment_variable function. As a result…
Read more...

Lifting int 0x2e to LLIL_SYSCALL with Binary Ninja

Windows (at times) use the int 0x2e instruction to execute syscalls. The following image shows a diassembly of the ZwAccessCheck syscall from ntdll.dll: Binary Ninja (as of Version 2.4.3050-dev) is not able to lift the int 0x2e instruction. The int 0x2e branch in ZwAccessCheck i…
Read more...

Parsing Windows Syscall Numbers with Binary Ninja

Binary Ninja is a great platform for automating some reverse engineering tasks, especially with the headless mode available for commercial licenses. In this post, we will use Binary Ninja to automate extracting Windows syscall numbers from ntdll.dll. binaryninja.open_view is a co…
Read more...

Binary Ninja Rust Hello World

Binary Ninja has experimental support for writing plugins in Rust and the provided template is a good starting point for figuring out how to write one. This post will cover some (hopefully useful) getting started tips. A sample plugin can be found on GitHub. rust-toolchain.toml …
Read more...

ProLink PRC2402M V1.0.18 Multiple Vulnerabilities

All vulnerabilities mentioned in this post were tested against firmware version V1.0.18, older versions might be affected as well. Affected devices should be updated to V1.0.23 to resolve the issues. Proof-of-concept exploits for all vulnerabilities can be found here: https://git…
Read more...