exploits.club Weekly Newsletter 77 - MS-RPC Fuzzing, Printer Hacking, Arbitrary Decrement Primitives, And More

Our "Pacers in 7 comment" last week did not take into account that the superstar player could potentially injure himself within the first 6 minutes. This is why you shouldn't gamble kids. Annnnnnyways 👇 now that at least half the audience has no idea what we are talking about....
Binja Give Away Complete!
Our newsletter is a little late today because we were setting up our lava lamps and trying to draft a giveaway winner email that didn't sound like a phishing scam.
That said, the Binary Ninja Giveaway winner has been notified! Congrats to the winner, please check your email and respond within the next 7 days.
The announcement was sent from *.exploits.club account, so could be in spam or any number of other places.
We have one more license to giveaway...we will plan to run that sometime in the next few months!!
In Case You Missed It...
- Patch Diffing On Stream - @Steph3nSims is doing a live Microsoft Patch Diff on stream tomorrow. Certainly worth the watch!
- From Zero To QEMU - Get spun up on everyone's favorite emulation engine. There will be a live session for it tomorrow at 6PM CST as well! Sounds like you might have a busy Friday
Resources And Write-Ups From This Week:
- Automating MS-RPC vulnerability research - If there is one thing we know about good vuln researchers, its that they love to automate parts of their workflows to be more effective at getting to the good stuff - finding bugs. This new white-paper from Remco van der Meer is a perfect example of how this can be done the right way. In his post, he walks through his MS-RPC fuzzing workflow that he was able to automate. Built off the back of James Foreshaw's NtObjectManager, the write-up explains how Remco was able to build extensions that automates the discovery and fuzzing process for different RPC endpoints. The post is extremely in-depth, covering relevant background information on MS-RPC, previous research and tooling, and detailing his unique approach to the problem. It wraps up with 9 disclosed vulnerabilities, some thoughts on effectiveness, and ideas for how the research could be expanded.
- PrintScan Hacks: Identifying multiple vulnerabilities across multiple Brother devices - Fewer things get us going more than a good printer hacking session. We blame the OG gamozolabs streams and the Pwn2Own mobile write-ups for this guilty pleasure. Thankfully, industry legend @stephenfewer came through this week with a detailed report of his recent research on Brother printers. The report discloses 8 total vulnerabilities, ranging from SSRF to memory corruption to good ole denial of service. The show stopper, however, was the ability to leak the leak the serial number of the device, and then use it to generate the default password. Funny enough, the Brother's team responded and said this can't actually be patched out in firmware, and will be re-worked in a hardware revision. There is a workaround but like...c'mon. The rest of the findings are presented in a nice and digestible, pentest-style format.
- Primitive Injection - Breaking the Status Quo - Research from @trickster012 dropped this week, explaining a new way to do remote process injection requiring less permissions. Specifically, the post walks through a way to remotely allocate, read, and write memory without needing the normal
PROCESS_VM_OPERATION
orPROCESS_VM_WRITE
functionality. The way this is achieved is through three full function calls (not rop gadgets, as originally intended) that give him the primitives needed. The post walks through each primitive, the target function, and any tricks needed to get it working as expected. The post also details information about how it helps achieves a CFG bypass due to the use of full functions and theorizes about the partial CET bypass. - How This Weird Audio Trick Corrupts the Heap (CVE-2025-31200 #2) - A few ECs ago, we covered part one of @bellis1000's video series breaking down CVE-2025-31200, an iOS bug triggered by a malicious media file. This week, he added the second entry into the series, picking up where we left off and continuing to untangle the root cause analysis, the patch, and the primitive associated with the vuln. In true Billy Ellis style, the concepts are clearly explained, and the animations / color palette are just so good. The video also does a great job of giving background on the necessary subsystems, so that you don't have to come in being an iOS expert (spoiler alert: we are not). It's worth every second of the 9 minute runtime, so go check it out.
- MacOS Sandbox Escape via Double Free in coreaudiod/CoreAudio Framework - Saw this pop up on the P0 bug tracker. A fun little double-free, resulting from improper exception handling and resulting in two destructors being called on the same memory address. There is a PoC included, per usual, and a dtrace to show how the bug is being triggered.
- Decrement by one to rule them all: AsIO3.sys driver exploitation - TALOS dropped a few bugs they found (this morning...at 6 AM. Really working hard to bring you the latest news here at Exploits Club). Recently, they decided to conduct an audit of a driver associated with ASUS's Armory Crate. The driver in question (
AsIO3.sys
), suffered an auth bypass and a stack overflow. The post goes on to describe the reverse engineering process and the authentication mechanism being used. They were able to achieve the auth bypass with a clever hard link. From there, they found an IOCTL that allowed for decrementing any arbitrary memory address by 1. The combination of the two was able to be turned into a full privesc. And for those of you wondering about the stack overflow, that was almost found by accident during this research, and relates to improperly validating a file path length. - Crash (exploit) and burn: Securing the offensive cyber supply chain to counter China in cyberspace - If we are being honest, we haven't finished this one yet - so we will give you a good 3 sentence summary (if that is even possible) next week. But the buzz around it has been too good to not have it included this week, even if we weren't able to get through our summer required reading in time.
Interesting Job Postings:
- Red Team Platform And Hardware Security Researcher @ Apple (On-Site: Cupertino, CA)
- Senior Vulnerability Researcher @ Booz Allen Hamilton (On-Site: Fort Meade, MD)
- Principal Game Security Engineer @ Scopely (Remote: US)
- Security Research Engineer @ Cisco - TALOS (On-Site: Fulton, MD)
- DoD SkillBridge Vulnerability Researcher @ Research Innovations Inc (On-Site: St Pete Beach, FL)
Wrapping Up...
As always, thanks for stopping by. We here at the club are always trying to improve so if you have comments, questions, or suggestions, feel free to shoot us an email - info@exploits.club.
Follow us on X - we occasionally Tweet poor attempts at memes
Want to support us? Buy us a coffee ☕️
Don't forget to check out https://bug.directory!

Feel free to join the exploits.club Discord server here 👉 https://discord.gg/2dxN2Gtgpx
Same time next week? See you then 🏴☠️
