Forwarded from Android Security & Malware
Android backdoor hijacks Telegram accounts, gaining complete control over them
https://news.drweb.com/show/?i=15076&lng=en&c=5
https://news.drweb.com/show/?i=15076&lng=en&c=5
Dr.Web
Baohuo, the gray eminence. Android backdoor hijacks Telegram accounts, gaining complete control over them
Doctor Web has identified a dangerous backdoor, <a href="https://vms.drweb.com/search/?q=Android.Backdoor.Baohuo.1.origin&lng=en"><b>Android.Backdoor.Baohuo.1.origin</b></a>, in maliciously modified versions of the Telegram X messenger. In addition to being…
Forwarded from ReverseEngineering
┌──────────────┐ ← High Addresses
│ Stack │ ← Contains Local Variables, Return Addresses
├──────────────┤
│ Heap │ ← Contains Dynamic Objects (malloc/new)
├────────────────────────────────────
│ BSS & Data │ ← Global/static variables
├───────────────────────┘ ← Lower addresses
Exploits usually occur in the Stack or Heap
🧨 Most important types of bugs in Binary Exploitation
Type of vulnerability:
Buffer Overflow
Writing more data than allowed into the buffer can overwrite the Return Address
Stack-based Overflow Overflow
The stack is usually used to control EIP/RIP
Heap Overflow
Overflow in the heap causes malloc structures to fail
Use-After-Free
Using a pointer after freeing causes control over freed memory
Format String Bug
Unsafe use of printf can cause memory leak or write
Integer Overflow/Underflow
Causes memory allocation or bypass errors Checks are
Double Free
Freeing a pointer twice leads to heap corruption
🧭 General steps of Binary Exploitation:
Create a crash Bug Trigger:
Make the program crash with specific input
For example, overflow the buffer with a very long string
Analyze the bug:
Use gdb, pwndbg, gef, or radare2
Understand what exactly was overwritten, what registers are controllable, and what the execution flow is like
Leak Security Information:
To bypass ASLR or PIE, you need to leak addresses
For example, you use a format string to print pointers
Build Payload Exploit:
For example, build a ROP chain or Shellcode
Carefully change the Return Address to your gadgets or shellcode
Bypass Protections:
Modern browsers and binaries have protections such as:
ASLR
Addresses are randomized, you need to leak
NX / DEP
Stack is not executable, you should use ROP
Canary
Overflow protection should be leaked or bypassed
PIE / RELRO
Hardening GOT/PLT control
Taking ultimate control:
Usually an exploit ends in one of the following:
Executing Shellcode and getting a shell 🐚
Executing ROP chain to execute system commands
Changing program behavior in favor of the attacker
🧰 Important tools in Binary Exploitation
Most used tools:
gdb + pwndbg or gef
Debugging and crash and memory analysis
radare2, Ghidra, IDA Pro
Binary reverse engineering
ROPgadget, ROPPER
Finding ROP gadgets
pwntools
Quickly building exploits with Python
angr, Qiling
Symbolic analysis or advanced emulation
checksec Checking binary protections
🧪 Very simple classic Stack Overflow example
Vulnerable code:
If you give more than 64 bytes in input, you can overwrite the Return Address and send the program to your shellcode address instead of returning to main
@reverseengine
│ Stack │ ← Contains Local Variables, Return Addresses
├──────────────┤
│ Heap │ ← Contains Dynamic Objects (malloc/new)
├────────────────────────────────────
│ BSS & Data │ ← Global/static variables
├───────────────────────┘ ← Lower addresses
Exploits usually occur in the Stack or Heap
🧨 Most important types of bugs in Binary Exploitation
Type of vulnerability:
Buffer Overflow
Writing more data than allowed into the buffer can overwrite the Return Address
Stack-based Overflow Overflow
The stack is usually used to control EIP/RIP
Heap Overflow
Overflow in the heap causes malloc structures to fail
Use-After-Free
Using a pointer after freeing causes control over freed memory
Format String Bug
Unsafe use of printf can cause memory leak or write
Integer Overflow/Underflow
Causes memory allocation or bypass errors Checks are
Double Free
Freeing a pointer twice leads to heap corruption
🧭 General steps of Binary Exploitation:
Create a crash Bug Trigger:
Make the program crash with specific input
For example, overflow the buffer with a very long string
Analyze the bug:
Use gdb, pwndbg, gef, or radare2
Understand what exactly was overwritten, what registers are controllable, and what the execution flow is like
Leak Security Information:
To bypass ASLR or PIE, you need to leak addresses
For example, you use a format string to print pointers
Build Payload Exploit:
For example, build a ROP chain or Shellcode
Carefully change the Return Address to your gadgets or shellcode
Bypass Protections:
Modern browsers and binaries have protections such as:
ASLR
Addresses are randomized, you need to leak
NX / DEP
Stack is not executable, you should use ROP
Canary
Overflow protection should be leaked or bypassed
PIE / RELRO
Hardening GOT/PLT control
Taking ultimate control:
Usually an exploit ends in one of the following:
Executing Shellcode and getting a shell 🐚
Executing ROP chain to execute system commands
Changing program behavior in favor of the attacker
🧰 Important tools in Binary Exploitation
Most used tools:
gdb + pwndbg or gef
Debugging and crash and memory analysis
radare2, Ghidra, IDA Pro
Binary reverse engineering
ROPgadget, ROPPER
Finding ROP gadgets
pwntools
Quickly building exploits with Python
angr, Qiling
Symbolic analysis or advanced emulation
checksec Checking binary protections
🧪 Very simple classic Stack Overflow example
Vulnerable code:
#include <stdio.h>
#include <string.h>
void vuln() {
char buf[64];
gets(buf); // ❌ Insecure
printf("You said: %s\n", buf);
}
int main() {
vuln();
return 0;
}
If you give more than 64 bytes in input, you can overwrite the Return Address and send the program to your shellcode address instead of returning to main
@reverseengine
👍3
I made a Flipper Zero BadUSB alternative with an ESP32-S3 to automate my PC https://www.xda-developers.com/made-flipper-zero-badusb-alternative-esp32/
XDA
I made a Flipper Zero BadUSB alternative with an ESP32-S3 to automate my PC
With an ESP32, I built a BadUSB device that can send inputs to my PC.
Forwarded from ReverseEngineering
CVE-2025-43300
Poc:
Rce iOS 18.6.10
https://github.com/b1n4r1b01/n-days/blob/main/CVE-2025-43300.md?fbclid=IwZXh0bgNhZW0CMTEAAR4GEIShnUYvwBjuHqzKsE0ZjoimJ4zjWfLEYN3vmc7t6BYAlALJtqLQ630Oaw_aem_fsraRT0BI9kfRhL89TRepw
@reverseengine
Poc:
Rce iOS 18.6.10
https://github.com/b1n4r1b01/n-days/blob/main/CVE-2025-43300.md?fbclid=IwZXh0bgNhZW0CMTEAAR4GEIShnUYvwBjuHqzKsE0ZjoimJ4zjWfLEYN3vmc7t6BYAlALJtqLQ630Oaw_aem_fsraRT0BI9kfRhL89TRepw
@reverseengine
GitHub
n-days/CVE-2025-43300.md at main · b1n4r1b01/n-days
Contribute to b1n4r1b01/n-days development by creating an account on GitHub.
Exploiting Retbleed CPU vulnerability by @_MatteoRizzo and @theflow0
https://bughunters.google.com/blog/6243730100977664/exploiting-retbleed-in-the-real-world
https://bughunters.google.com/blog/6243730100977664/exploiting-retbleed-in-the-real-world
Google
Blog: Exploiting Retbleed in the real world
Curious to hear about our experience exploiting Retbleed (a security vulnerability affecting modern CPUs)? Then check out this post to see how we pushed the boundaries of Retbleed exploitation and understand more about the security implications of this exploit…
Windows X86-64 System Call Table (XP/2003/Vista/7/8/10/11 and Server)
https://j00ru.vexillium.org/syscalls/nt/64/
https://j00ru.vexillium.org/syscalls/nt/64/