REinject's Blog

Deep Dive into Copy Fail: Root Cause, Exploitation, and Detection of a Linux Page Cache Vulnerability

Sat, 09 May 2026 00:00:00 +0000

CVE-2026-31431 deep dive: from an optimization commit in the AF_ALG crypto subsystem to a 9-year arbitrary file page cache overwrite vulnerability. Covers root cause analysis, kernel-level dynamic verification, 7 host privilege escalation paths, cross-tenant container attacks, and a generic detection scheme based on O_DIRECT + fanotify.

largebin attack

Tue, 21 Jan 2025 17:33:23 +0800

This article summarizes attack exploitation techniques related to the largebin.

unsortedbin attack

Thu, 16 Jan 2025 16:46:56 +0800

This article summarizes exploitation techniques related to the unsortedbin, including leaking libc addresses and UAF arbitrary address write examples.

Typora 1.9.5 Cracking

Tue, 14 Jan 2025 00:00:00 +0000

Need to use Typora — let’s crack it ourselves.

Overwriting _IO_2_1_stdout to Leak libc Address

Wed, 08 Jan 2025 00:00:00 +0000

PWN challenges almost always require the libc base address. Typically, you can obtain it by reading a libc API address filled in the program’s GOT table and calculating the base via relative offset. However, sometimes you can’t directly read the GOT. In such cases, if you have an arbitrary write primitive, you can leak the libc address by overwriting _IO_2_1_stdout.

The operation is fairly straightforward: set the flag field at the beginning of the _IO_2_1_stdout structure to 0x00000000fbad1800, modify the low byte of _IO_write_base to a smaller value, then wait for the program to call puts or printf — the libc address will be leaked to stdout.

asadstory

Tue, 07 Jan 2025 00:00:00 +0000

Challenge files

A simple stack overflow. As the Chinese saying goes: “Fortune is fickle — don’t look down on the young single dog!!!”

Inequable_Canary

Tue, 07 Jan 2025 00:00:00 +0000

Challenge files

A malformed canary challenge.

ret2csu

Tue, 07 Jan 2025 00:00:00 +0000

What is ret2csu? Nothing too fancy — learning ret2csu is about understanding the concept, not memorizing every detail.

Security Flags and Seccomp Sandbox

Tue, 07 Jan 2025 00:00:00 +0000

A brief overview of common ELF protection mechanisms — essential knowledge for CTF PWN.

ezheap2

Mon, 06 Jan 2025 00:00:00 +0000

Challenge files

A heap exploitation menu challenge.

glibc all in one

Mon, 06 Jan 2025 00:00:00 +0000

Using glibc-all-in-one combined with patchelf or the LD_PRELOAD environment variable for fast glibc version switching.

glibc malloc/free Source Code Analysis

Sun, 05 Jan 2025 00:00:00 +0000

This article analyzes Linux memory allocation and deallocation from the GLIBC source code. Understanding the relevant data structures and memory management mechanisms is fundamental to heap exploitation.

Installing pwntools on Mac

Fri, 20 Dec 2024 00:00:00 +0000

Running into errors when installing pwntools on Mac — a common issue and its fix.

GDB Cheatsheet

Sat, 07 Dec 2024 00:00:00 +0000

A summary of commonly used GDB commands.

Research on Triggers and Actions Data Structures of Scheduled Tasks in the Registry

Tue, 16 Jan 2024 00:00:00 +0000

Win7 scheduled tasks didn’t have schtasks but used the legacy at command, represented as files. Starting from Win8, the schtasks.exe command appeared — the modern scheduled task service.

Previously in Deep Dive into Windows Scheduled Tasks and Malicious Hiding Techniques, I described the general meaning of some fields in the registry but didn’t research the specific content structures, especially the binary Triggers, Actions, and other fields.

By referencing public materials and the GhostTask project, I roughly outlined the differences in Triggers and Actions structures between Win8.1 and Win10, which may be useful later.

Deletion of Arbitrary File into Escalation of Privilege

Wed, 25 Oct 2023 00:00:00 +0000

I recently saw a tweet from @AndrewOliveau. Just reading the description “arbitrary file deletions to SYSTEM” felt magical — an arbitrary file deletion vulnerability that can be turned into local privilege escalation. After reading through it with questions in mind, I found that the general approach leverages Windows’ MSI installation rollback mechanism. Seeing “Config.Msi” felt very familiar, because two or three years ago I had deeply studied this and even crafted a custom MSI package to test it — it was awesome, but I didn’t take notes and forgot about it after having fun, so now this topic has resurfaced. However, this isn’t the main focus of the article; rather, it’s about “how to turn a fixed ordinary user file deletion into an arbitrary file deletion vulnerability.”

Windows Common Persistence Backdoor Hunting

Fri, 04 Nov 2022 00:00:00 +0000

Cryptominers, ransomware, and certain rogue software frequently leverage scheduled tasks and WMI to periodically execute fileless backdoors or hijack browser homepages. How do you investigate these using PowerShell?

Hell's Gate

Fri, 29 Oct 2021 00:00:00 +0000

Hell’s Gate is a direct syscall technique on Windows that can bypass most EDR hooks at the Ring3 layer. Some quick notes on the topic.

Hijacking Resin Request/Response via Filter Injection

Wed, 22 Sep 2021 00:00:00 +0000

Injecting a filter-based memory shell in Resin to intercept and exfiltrate interface response data.

CVE-2021-36934 Windows 10 Local Privilege Escalation

Fri, 23 Jul 2021 00:00:00 +0000

Overly permissive ACLs on multiple system files, including the SAM file, allow built-in regular user groups to access SAM under certain circumstances, leading to local privilege escalation.

CVE-2021-1732 Windows 10 Local Privilege Escalation Vulnerability

Tue, 29 Jun 2021 00:00:00 +0000

The vulnerability exists in the Windows graphics driver win32kfull.sys. When win32kfull!NtUserCreateWindowEx is called to create a window with tagWND→cbWndExtra≠0, the function calls win32kfull!xxxClientAllocWindowClassExtraBytes to callback the user-mode function user32.dll!__xxxClientAllocWindowClassExtraBytes for memory allocation. An attacker can hook this user-mode function and call ntdll!NtCallbackReturn to return an arbitrary value to the kernel. When tagWND→flag contains the 0x800 flag, this return value is treated as an offset relative to the kernel desktop heap base address. A user-mode call to NtUserConsoleControl can modify tagWND→flag to include 0x800, causing the return value to be used directly for heap memory addressing, triggering an out-of-bounds memory access. Through out-of-bounds read/write, an attacker can copy the SYSTEM process token to the current process to achieve privilege escalation.

CVE-2021-40449 win32kfull!GreResetDCInternal UAF Vulnerability

Tue, 29 Jun 2021 00:00:00 +0000

Issues encountered during the CVE-2021-40449 UAF research process.

HMValidateHandle Technique

Fri, 18 Jun 2021 00:00:00 +0000

The main content of this article is translated from: https://theevilbit.github.io/posts/a_simple_protection_against_hmvalidatehandle_technique/

Looking at win32k exploitation techniques in recent years, the HMValidateHandle technique is used almost everywhere. I had an idea about how to prevent this type of exploitation, and this article discusses it.

Deep Dive into Windows Scheduled Tasks and Malicious Hiding Techniques

Mon, 11 Jan 2021 00:00:00 +0000

Malware and attackers commonly use scheduled tasks as their persistence mechanism.

From a threat detection perspective, understanding how scheduled tasks run and are created, as well as the processes associated with them, is essential.

Additionally, this article investigates and explores an undisclosed scheduled task hiding technique.

From Shellcode to Buffer Overflow: A Practical Guide

Wed, 16 Oct 2019 00:00:00 +0000

Learning stack overflow and shellcode through hands-on examples. (Notes from a long time ago — pretty outdated, take it or leave it.)

Representation of Basic Data Types in C++

Fri, 26 Jul 2019 00:00:00 +0000

Process memory is like a palace in the dark — it’s hard to see what’s inside directly; you can only explore it corner by corner. This time I explore how C++ data structures are represented in memory, primarily summarized from ‘C++ Disassembly and Reverse Analysis’, with floating-point content from Chapter 2 of ‘Computer Systems: A Programmer’s Perspective’.

Unpacking Record: Nine-Layered Demonic Tower

Mon, 15 Jul 2019 00:00:00 +0000

Challenge Description

This is Challenge #9 “Nine-Layered Demonic Tower” from the Kanxue.TSRC 2017 CTF Autumn Competition: Challenge Link

MD5 of the exe file: b8b6bfe47a9c40117e2c6bbd5839f198