In this blog post I will go in depth into the inner workings of CVE-2021-43247 , which was fixed on the 14th of December 2021. This bug was classified as “Windows TCP/IP Driver Elevation of Privilege Vulnerability”. The vulnerability itself was probably dormant for a long time, but became exploitable when the AF_UNIX address family was first introduced in 2019.

I will also take this as an excuse to explain in detail, what drivers are, how user space communicates with drivers, what a Local Privilege Escalation (LPE) is and what how we can achieve it in this case.

Installing new .NET versions on a Windows 7 VM

In this post, I will explain how to install .NET Framework 4.8 on a Windows 7 VM.

Motivation

Virtual Machines running Microsoft Windows are frequently used for dynamic analysis of Windows executables. Windows 7 is still used for analysis VM, although it is no longer supported by Microsoft and ships with an outdated .NET version. If a sample requires a .NET version which is not present on the analysis VM, the execution fails and the file cannot be analysed. For this reason it might be required to install a recent .NET version on a Windows 7 VM.

Fuzzing Network Applications with AFL and libdesock

Fuzzing network servers with AFL is challenging since AFL provides its input via stdin or command line arguments while servers get their input over network connections. As the popularity of AFL grew, many attempts have been made of fuzzing popular servers like apache and nginx using different techniques and hacky workarounds. However an off-the-shelf network fuzzing solution for AFL didn’t exist for a long time until so-called “desocketing” tools emerged. These desocketing tools enabled network fuzzing without making a lot of additional modifications to the program under test and quickly became widely used in combination with AFL.