ROPing our way to “Yay, RCE” - and a lesson in the importance of a good nights sleep!

From vulnerability to exploit - follow our Colleague Michaels journey of developing an ARM ROP chain to exploit a buffer overflow in uc-http

Via Return-Oriented Programming chain small code snippets, or gadgets, already present in a program’s memory can be leveraged

By chaining these gadgets together, they can execute arbitrary code without injecting anything new

Dive into the process of reverse engineering, gadget hunting, and crafting a working exploit.

Learn all about it in Michaels full report.

https://modzero.com/en/blog/roping-our-way-to-rce/

@screaminggoat @ntkramer Yeah the payload definitely doesn't match.

@screaminggoat @ntkramer Sooo, deserialization, IIS... have they left their ViewState key exposed? /speculation

@munin Their mother was a hamster and their father smelt of elderberries!

@mttaggart @GossiTheDog Some recurring themes in these repos are 1) abandonware 2) test/training code

Also, TIL you can use boolean expressions, e.g. you can filter for autogenerated keys:

https://github.com/search?q=%3CmachineKey+validationkey+path%3Aweb.config+NOT+autogenerate&type=code

Why pay for search?

(Illustration by @chazhutton for Kagi)

#Kagi #AdFree #Search #Privacy

@GossiTheDog Yeah, edits are weird around here, thanks for the clarification! I can only see npm being used for frontend stuff in .NET projects, could you perhaps link an affected repo/npm page?

@GossiTheDog Thanks! Now I'm more confused: npm does .NET these days? Or we're talking NuGet?

[RSS] Micropatches Released for Windows OLE Remote Code Execution (CVE-2025-21298)

https://blog.0patch.com/2025/02/micropatches-released-for-windows-ole.html

Daniel weekly February 7, 2025

https://lists.haxx.se/pipermail/daniel/2025-February/000099.html

old security, ssh security, BBC, URLs from file, you can help, curl up CVE-2024-7264, EOSAwards, Workshop, FOSDEM, 1337, release, regressions, release candidates, codeql, no goods

If you use Signal, Discord, or any other messaging app and you DON'T want Google or Apple monitoring/reading/learning from your messages, follow these steps.

Android:
1. Open Google app
2. Tap your profile photo
3. Settings
4. Google Assistant
5. "Your Apps"
6. Choose the app (e.g., Signal)
7. Toggle "Let your assistant learn from this app" off

iPhone:
1. Settings
2. Apps
3. Choose the app (e.g., Signal)
4. Toggle Apple intelligence or Siri settings to off (“learn from this app”)

@screaminggoat @zeljkazorz @GossiTheDog "However, due to inadequate server configurations, attacks become possible if *the serialized data is not verified* (CWE-642)" - this sounds more like disabled MAC than leaked key to me

Windows Telephony Services: 2025 Patch Diffing & Analysis https://blog.securelayer7.net/windows-telephony-services-2025-patch-diffing-and-analysis-pt-1/

Creating a toy operating system

https://github.com/cfenollosa/os-tutorial

https://539kernel.com/

https://github.com/tuhdo/os01/blob/master/Operating_Systems_From_0_to_1.pdf

UK orders Apple to put backdoor in iCloud encryption (Advanced Data Protection, which is end-to-end encrypted):
https://www.theverge.com/news/608145/apple-uk-icloud-encrypted-backups-spying-snoopers-charter

The way this plays out is that UK iPhones lose the Advanced Data Protection feature, right?
Right??

@GossiTheDog Forgive my ignorance, what is nom?

Big news in Italy around the government misusing Paragon, and Paragon ended up cutting the contract citing misuse/ethical violations.
I commend Paragon on this one, the misuse was pretty blatant and as Italian sad to see. This is how the industry should react to misuse!

****For students and private individuals (not paid by a company) ONLY***

We are releasing a very limited amount of tickets for students and private individuals.

These tickets will be discounted in price and are separate from the waiting list.

Please email us with your story and background on why you want the ticket to info(at)offensivecon(dot)org

Students will have to bring a valid student ID to the conference.

We would love to see submissions from anyone.
Time is running out. Don’t let the ticket to @reverseconf go to waste.

For those who are stuck at the exploitation part, the picture we showed previously and this article will help a bit
https://github.com/vp777/Windows-Non-Paged-Pool-Overflow-Exploitation

https://bird.makeup/@starlabs_sg/1877697987758960773

@cynicalsecurity @jeroen "I don't understand what exactly happened last night on LinkedIn, but I know it is dark and sad and reeks of unfulfilled wants. The executive sat before me has been marketed to."

https://ludic.mataroa.blog/blog/brainwash-an-executive-today/