Arzedlab 🪵

About Me

Fri, 28 Nov 2025 00:00:00 +0000

My name is Ravshan Rikhsiev, a cybersecurity researcher at ONESEC with a technical focus on low-level systems: firmware, kernel subsystems, compilers, reverse engineering, and low-level programming. My research spans vulnerability discovery, exploit development, and methods to make fixes verifiable and safe in production systems. I regularly publish technical posts, present at security workshops, and mentor students because I believe strong communities accelerate learning and responsible research. On this site, you’ll find writeups, tools, and reproducible artifacts from my projects, along with resources for hands-on learning. Off-duty from systems exploration, my passion is cycling, which is where I think, recharge, and plan new outreach initiatives. If you’re interested in collaboration, teaching, or talks, please get in touch.

Publications & Papers & Conferences

Fri, 28 Nov 2025 00:00:00 +0000

Speaker at Conference

KazHackStan 2025, Almaty - “Uncovering Memory Flaws with Taint Analysis”
Positive Hack Talks, Cairo & Cyberkent 3.0, Tashkent - “Unveiling eBPF: Reversing, Exploring the Verifier, and CVEs”

Workshops Conducted

Inha University - Breaking the Browser: V8 Internals and Exploitation Primitives
Turin Polytechnic University in Tashkent - Introduction to Malware Analysis: A Hands-On Workshop
British University in Tashkent - Navigating the Cyber Landscape: Basics, Vulnerabilities, and CVEs

Publications

Firmware reverse engineering and analysis of router devices

Mon, 24 Nov 2025 00:00:00 +0000

Firmware reverse engineering and analysis of router devices

Intro

First of all, hello everyone. We’re here to discuss routers, which are essential devices in our lives. Probably, more people don’t even know what it is. I have always been interested in security. How secure are they? In this post, I will discuss the feasibility of extracting the firmware and attempting to reverse it. Believe me, it is more interesting. In the market, there are routers from high-profile enterprises like Fortinet to budget home brands like TP-Link and Tenda, as well as other Chinese brands.

Exploring Integer Overflow: libxml2 Integer Overflow, which leads to OOB

Fri, 22 Aug 2025 00:00:00 +0000

Exploring Integer Overflow: libxml2 Integer Overflow OOB

In everyday life, numbers feel endless. You can always count one higher, or subtract one more. But computers don’t work like that. Inside your machine, numbers are stored in fixed-sized containers and when you push them past their limits, strange things happen. When a calculation produces a value that’s too large or too small for its container, we get integer overflow or integer underflow.

Linux Kernel Exploitation Part 1: ret2usr

Thu, 05 Jun 2025 00:00:00 +0000

Kernel Exploitation ret2usr Part 1

compress.sh - To extract compressed image from linux

#!/bin/sh
gcc -o exploit -static $1
mv ./exploit ./initramfs
cd initramfs
find . -print0 \
| cpio --null -ov --format=newc \
| gzip -9 > initramfs.cpio.gz
mv ./initramfs.cpio.gz ../

run.sh - Run qemu configuration

#!/bin/sh
qemu-system-x86_64 \
 -s \
 -m 128M \
 -cpu kvm64,+smep,+smap \
 -kernel vmlinuz \
 -initrd initramfs.cpio.gz \
 -hdb flag.txt \
 -snapshot \
 -nographic \
 -monitor /dev/null \
 -no-reboot \
 -append "console=ttyS0 quiet panic=1 nosmep nosmap nopti nokaslr"

As you can see all security mitigations are turned off. -s flag set for debugging the linux kernel.

Linux Kernel Exploitation Part 2: Adding Mitigitions

Thu, 05 Jun 2025 00:00:00 +0000

Kernel 2: Adding Mitigitions

Adding SMEP

SMEP, abbreviated for Supervisor mode execution protection (SMEP), is a feature that marks all the userland pages in the page table as non-executable when the process is exectuting in kernel-mode. In the kernel, this is enabled by setting the 20th bit of Control Register CR4.

Check it’s in gdb

Run the qemu with -s and on qemu boot, it can be enabled by adding +smep to -cpu, and disabled by adding nosmep to -append.

EXIM: CVE-2020-28025: Heap out-of-bounds read in pdkim_finish_bodyhash()

Mon, 26 May 2025 00:00:00 +0000

EXIM: Analysis 4.92.1-R

This is just as re-analysis to better understand, the reporter and author of there vulnerabileties is company Qualys official link: https://www.qualys.com/2021/05/04/21nails/21nails.txt

CVE-2020-28025: Heap out-of-bounds read in pdkim_finish_bodyhash()

Callers of pdkim_finish_bodyhash()

main() → receive_msg() → dkim_exim_verify_finish()

dkim_exim_verify_finish() be called to verify DKIM (DomainKeys Identified Mail) signature, then calls pdkim_feed_finish() , which calls pdkim_finish_bodyhash()

DKIM (DomainKeys Identified Mail) looks like this.

Code of the function pdkim_finish_bodyhash()

...
 /* VERIFICATION --------------------------------------------------------- */
 /* Be careful that the header sig included a bodyash */

 if ( sig->bodyhash.data
 && memcmp(b->bh.data, sig->bodyhash.data, b->bh.len) == 0)
 {
 DEBUG(D_acl) debug_printf("PDKIM [%s] Body hash compared OK\n", sig->domain);
 }
 else
 {
 DEBUG(D_acl)
 {
	debug_printf("PDKIM [%s] Body hash signature from headers: ", sig->domain);
	pdkim_hexprint(sig->bodyhash.data, sig->bodyhash.len);
	debug_printf("PDKIM [%s] Body hash did NOT verify\n", sig->domain);
	}
 sig->verify_status = PDKIM_VERIFY_FAIL;
 sig->verify_ext_status = PDKIM_VERIFY_FAIL_BODY;
 }
...

Unfortunately, at line 826, sig->bodyhash.data is attacker-controlled (through a “DKIM-Signature:” mail header) and memcmp() is called without checking first that sig->bodyhash.len is equal to b->bh.len: memcmp() can read sig->bodyhash.data out-of-bounds. If the acl_smtp_dkim is set (it is unset by default), an unauthenticated remote attacker may transform this vulnerability into an information disclosure; we have not fully explored this possibility.

Android Cheatsheet

Fri, 17 Jan 2025 11:13:32 +0500

Android root in Genymotion

adb shell setprop persist.sys.root_access 3

Setting up your Android device

$ adb shell getprop ro.product.cpu.abilist # check your device cpu type

$ unxz frida-server.xz

$ adb root # might be required
$ adb push frida-server /data/local/tmp/
$ adb shell "chmod 755 /data/local/tmp/frida-server"
$ adb shell "/data/local/tmp/frida-server &"

$ frida-ps -U

frida -U -l multi-bypass.js -f uz.paynet.flagship_mobile

Downloading And Merging APKs

adb shell pm list packages -3 | grep telegram

$ adb

One command

Linux Heap Exploitation internals

Tue, 14 Jan 2025 00:00:00 +0000

LIFO AND FIFO

LIFO (Last-In, First-Out) and FIFO (First-In, First-Out) are two fundamental methods for managing data structures, each with distinct characteristics and applications.

LIFO (Last-In, First-Out):

Structure: Commonly implemented using a stack, where the most recently added item is the first to be removed.
Analogy: Think of a stack of plates; you add and remove plates from the top.
Applications:
- Memory Management: Utilized in function call management and recursive processes, where the last called function is the first to return.
- Undo Functionality: In applications like text editors, the last action performed is the first to be undone.
- Browser History: The most recently visited page is the first to be revisited when navigating backward.

FIFO (First-In, First-Out):

Linux Heap Exploitation: Unsafe Unlink

Tue, 14 Jan 2025 00:00:00 +0000

Unsafe Unlink

Introduction

The “Unsafe Unlink” technique is a heap exploitation attack that was once quite common. It involves manipulating the unlink macro in malloc.c to remove a chunk from a bin. This attack exploits the pointer manipulation done in the unlink macro, which can lead to arbitrary code execution or other malicious activities.

When we free allocated unsorted bin, it will be freed from a doubly linked list.

A doubly linked list is a type of data structure that consists of a sequence of elements, where each element (or node) contains three parts:

write4 | ROPEmporium [4]

Tue, 12 Nov 2024 15:45:36 +0500

Functions themselves are in an external library we should call it from there. Imported files proves the command rabin2 -i <binary>

callme | ROPEmporium [3]

Tue, 12 Nov 2024 15:19:36 +0500

Ok we have three functions, and we should call them with arguments, which are given, there are 0xdeadbeef, 0xcafebabe, 0xd00df00d . Functions itself are in external library we should call them one by one. Buffer overflow offset is the same, and checksec

split | ROPEmporium [2]

Tue, 12 Nov 2024 14:20:25 +0500

In this challenge, we should run system() function with argument /bin/cat flag.txt

ret2win | ROPEmporium [1]

Mon, 11 Nov 2024 11:41:24 +0500

One common introductory ROP challenge is known as ret2win. The goal is to call a specific function in the program called ret2win, which prints a success message and reveal a flag.txt

Full-Technical Analysis of DcRAT: Dissecting the Stealth, Persistence, and Power of DarkCrystal RAT

Sat, 31 Aug 2024 00:00:00 +0000

IOC

Malicious file: “Огохланитриш_хати06.08.2024.pdf.exe_”

Hashes

Тип	Значения
MD5	2cdb1d87940645acadcec093307b91dd
SHA1	fb16cec8b295ad76ff7ecbc1aa769e6553c7e5ba
SHA256	e6e93d2ec20e1aec2db995ae2a98eb35231d0b80564d257e4d9b87b0cbfc95af

Загруженные исполняемые файлы

Путь	SHA256 Hash
C:\Users\username\AppData\Roaming\2ZbCeAH0wY.exe	caf29650446db3842e1c1e8e5e1bafadaf90fc82c5c37b9e2c75a089b7476131
C:\Users\username\AppData\Roaming\NjcXx3wcvK.exe	7526e43bb967b29c8a3afbb4ae23a86184f5eadf4279dace89c18946b2e63a9e
C:\Users\username\Desktop\RgkotKHZ.log	aab95596475ca74cede5ba50f642d92fa029f6f74f6faeae82a9a07285a5fb97
C:\Users\usernam\Desktop\MliXleSf.log	1f02230a8536adb1d6f8dadfd7ca8ca66b5528ec98b15693e3e2f118a29d49d8

DNS requests

Domain

476072cm[.]nyashsens[.]top

IP addresses

20.166.126.56

95.101.149.131

80.211.144.156

HTTP/HTTPS requests

URL

hxxp[://]476072cm[.]nyashsens[.]top/ExternalRequestUpdateMultiuniversallocal[.]php

hxxp[://]ocsp[.]digicert[.]com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D

hxxp[://]www[.]microsoft[.]com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018[.]crl

hxxp[://]www[.]microsoft[.]com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202[.]1[.]crl

Introduction

DCrat (Dark Crystal RAT) is an advanced remote access trojan that first appeared in 2018 and has since been used by threat actors in a variety of cyberattacks. DCrat is notable for its modular architecture, which lets attackers enable or disable features according to the goals of a campaign.

How to catch smart hackers? Honeypots

Thu, 20 Jun 2024 00:00:00 +0000

Honeypot: An Advanced Cybersecurity Strategy, understanding the Concept of a Honeypot

In the vast landscape of cybersecurity, the term “honeypot” often crops up. But what exactly is a honeypot, and why is it so vital in the world of computer security? Let’s dive into this intriguing concept, breaking it down into easily digestible pieces.

The Lure of the Honeypot

Imagine a jar of honey left out in the open. It’s sweet, tempting, and irresistible to anyone who happens to stumble upon it. In the digital world, a honeypot works similarly. It’s a system or a network deliberately set up to attract cyber attackers, just like the honey attracts bees. However, unlike the real honey which is meant to be consumed, a honeypot is there to watch, learn, and trap malicious actors.

Heap Overflow in assimp

Fri, 05 Apr 2024 00:00:00 +0000

Heap Overflow #6019

Bug: Heap-based Buffer Overflow in AI_MD5_PARSE_STRING_IN_QUOTATION

Source: https://github.com/assimp/assimp/issues/6019

Summary

heap buffer overflow in AI_MD5_PARSE_STRING_IN_QUOTATION. An attacker could potentially exploit the vulnerability to cause a remote code execution, if they can trick the victim into running assimp on a malformed MD5 file.

Heap Overflow was caused by function memcpy

MEMCPY(3) Linux Programmer's Manual MEMCPY(3)

NAME
 memcpy - copy memory area

SYNOPSIS
 #include <string.h>

 void *memcpy(void *dest, const void *src, size_t n);

DESCRIPTION
 The memcpy() function copies n bytes from memory area src to memory area dest. The memory areas must not overlap. Use memmove(3) if the memory areas do overlap.

RETURN VALUE
 The memcpy() function returns a pointer to dest.

ATTRIBUTES
 For an explanation of the terms used in this section, see attributes(7).

ACID FLOW

ASAN giving heap overflow error in fucntion AI_MD5_PARSE_STRING_IN_QUOTATION

CVE-2021-38003 The Hole Leak to RCE

Sat, 30 Mar 2024 00:00:00 +0000

CVE-2021-38003 | The Hole Leak to RCE

Type Of Vulnerability	The Hole Leak
Security Severity	High
Effected Components	Javascript, Turbofan
Issue Source	https://issues.chromium.org/issues/40057710
Writeup Source(s)	None
Tested Version	Google Chrome 95.0.4638.54 (Official Build) (x86_64)
Vulnerable commit	a4252db3228433fed5c2bdb0fdff9a6b7b638f3b

Deep Dive Into Vulnerability

[1] The vulnerability arises as V8 attempts to handle exceptions in JSON.stringify(). If a exception appears in the built-in function, pending_exception_ is set by the Isolate::set_pending_exception() method. The calling code then moves to the V8 exception handling mechanism, where the Isolate::pending_exception() member is fetched from the active isolate and the currently active JavaScript exception handler is invoked using it.

CVE-2020-6418 Type Confusion V8

Fri, 02 Feb 2024 13:13:13 +0500

CVE-2020-6418 | Incorrect Optimization

Research Done By Ravshan Rikhsiev (2023)

Type Of Vulnerability	Type Confusion
Security Severity	High
Effected Components	Javascript, Turbofan, Optimizer
Issue Source	https://issues.chromium.org/issues/40051542
Writeup Source(s)	Later
Tested Version	V8 8.2.0
Vulnerable commit	bdaa7d66a37adcc1f1d81c9b0f834327a74ffe07

CVE-2020-6418 is a security vulnerability that was identified in the V8 JavaScript engine, which is used in various web browsers including Google Chrome. This vulnerability was reported by Clement Lecigne of Google’s Threat Analysis Group on 2020-02-18 [1] and assigned CVE-2020-6418. It was classified as a type confusion bug in the V8 engine.

CVE-2019-5782 Out-Of-Bounds V8

Fri, 01 Dec 2023 13:13:13 +0500

CVE-2019-5782 | OOB V8

Research Done By Ravshan Rikhsiev (2023)

Type Of Vulnerability	Out-Of-Bounds
Security Severity	High
Effected Components	Javascript, Turbofan, Compiler
Issue Source	https://bugs.chromium.org/p/chromium/issues/detail?id=906043
Writeup Source(s)	None
Tested Version	V8 7.3.0
Vulnerable commit	18b28402118b7918512c3e5b6bc5c6f348d43564

Building

mkdir v8
cd v8
fetch v8
cd v8
# Moving into vulnerable commit
git checkout 18b28402118b7918512c3e5b6bc5c6f348d43564
# Sync depot tools
gclient sync -D
# Installing dependencies 
build/install-build-deps.sh
# Installing ninja to build
sudo apt install -y ninja-build
# Release and Debug versions of V8
tools/dev/gm.py x64.release; tools/dev/gm.py x64.debug

Incorrect optimization assumptions in V8

Turbofan is an optimizing compiler in the V8 JavaScript engine. It translates JavaScript code into highly optimized machine code for better performance. It uses various techniques, such as inlining functions, optimizing data types, and eliminating unnecessary operations, to generate efficient code. This helps improve the execution speed of JavaScript programs running in V8.

V8 Internals: Tree

Sat, 05 Aug 2023 00:00:00 +0000

V8 source tree

v8/
├─ src/
│ ├─ [api]
│ ├─ [asmjs]
│ ├─ [ast]
│ ├─ [base]
│ ├─ [baseline]
│ ├─ [bigint]
│ ├─ [builtins]
│ ├─ [codegen]
│ ├─ [common]
│ ├─ [compiler-dispatcher]
│ ├─ [compiler]
│ ├─ [d8]
│ ├─ [date]
│ ├─ [debug]
│ ├─ [deoptimizer]
│ ├─ [diagnostics]
│ ├─ [execution]
│ ├─ [extensions]
│ ├─ [flags]
│ ├─ [fuzzilli]
│ ├─ [handles]
│ ├─ [heap]
│ ├─ [ic]
│ ├─ [init]
│ ├─ [inspector]
│ ├─ [interpreter]
│ ├─ [json]
│ ├─ [libplatform]
│ ├─ [libsampler]
│ ├─ [logging]
│ ├─ [maglev]
│ ├─ [numbers]
│ ├─ [objects]
│ ├─ [parsing]
│ ├─ [profiler]
│ ├─ [protobuf]
│ ├─ [regexp]
│ ├─ [roots]
│ ├─ [runtime]
│ ├─ [sandbox]
│ ├─ [snapshot]
│ ├─ [strings]
│ ├─ [tasks]
│ ├─ [temporal]
│ ├─ [third_party]
│ ├─ [torque]
│ ├─ [tracing]
│ ├─ [trap-handler]
│ ├─ [utils]
│ ├─ [wasm]
│ ├─ [zone]
├─ third_party/

`v8/src/api`

The v8/src/api directory in the V8 codebase is part of the V8 API. The V8 API provides functions for compiling and executing scripts, accessing C++ methods and data structures, handling errors, and enabling security checks¹.

Getting Started with Embedding V8

Thu, 06 Jul 2023 00:00:00 +0000

Getting Started with Embedding V8

Installing & Testing Standalone V8 application

Download the V8 source code
Create a build configuration using the helper script:

tools/dev/v8gen.py x64.release.sample

You can inspect and manually edit the build configuration by running:

gn args out.gn/x64.release.sample

Build the static library on a Linux 64 system:

ninja -C out.gn/x64.release.sample v8_monolith

Compile hello-world.cc, linking to the static library created in the build process. For example, on 64bit Linux using the GNU compiler:

g++ -I. -Iinclude samples/hello-world.cc -o hello_world -fno-rtti -lv8_monolith -lv8_libbase -lv8_libplatform -ldl -Lout.gn/x64.release.sample/obj/ -pthread -std=c++17 -DV8_COMPRESS_POINTERS -DV8_ENABLE_SANDBOX

For more complex code, V8 fails without an ICU data file. Copy this file to where your binary is stored:

cp out.gn/x64.release.sample/icudtl.dat .

Run the hello_world executable file at the command line. e.g. On Linux, in the V8 directory, run:

./hello_world

V8 as a standalone virtual machine has some key V8 concepts such as handles, scopes, and contexts. The V8 API provides functions for compiling and executing scripts, accessing C++ methods and data structures, handling errors, and enabling security checks. Your application can use V8 just like any other C++ library. Your C++ code accesses V8 through the V8 API by including the header include/v8.h.

CVE-2021-36414: heap-buffer-overflow MP4Box

Tue, 04 Apr 2023 00:00:00 +0000

CVE-2021-36414

A heap-buffer-overflow has occurred when running program MP4Box,which leads to a Deny of Service caused by dividing zero without sanity check,this can reproduce on the lattest commit.

Here: the main problem is dividing into zero

Assigning block_size:

block_size = ent ? ent->sampleDelta : 160;

This line uses the conditional (ternary) operator to assign a value to block_size.
It checks if ent is not NULL.
- If ent is valid (i.e., not NULL), block_size is assigned the value of ent->sampleDelta.
- If ent is NULL, block_size is assigned a default value of 160.

Fix

Tue, 28 May 2019 00:00:00 +0000