<?xml version="1.0" encoding="UTF-8"?><rss version="2.0"><channel><title>637th Research Lab</title><description>Security research write-ups: reverse-engineering, vulnerability discovery, and the methodology behind them.</description><link>https://y637f9qq2x.com/</link><item><title>RogueProvision: Windows Privilege Escalation in the Provisioning Engine — the SYSTEM Task That Applies Unsigned Packages</title><link>https://y637f9qq2x.com/posts/rogueprovision/</link><guid isPermaLink="true">https://y637f9qq2x.com/posts/rogueprovision/</guid><description>A SYSTEM service silently applies unsigned configuration packages from a folder — no signature, no consent, no interaction. Microsoft&apos;s docs promise otherwise. The honest catch: on a normal PC it&apos;s admin→SYSTEM, and a symbol&apos;s name fooled the analysis into believing otherwise.</description><pubDate>Mon, 22 Jun 2026 01:00:00 GMT</pubDate><category>windows</category><category>vulnerability-research</category><category>lpe</category><category>privilege-escalation</category><category>provisioning</category><category>reverse-engineering</category><category>confused-deputy</category></item><item><title>Rebuilding a Security Researcher&apos;s Mind in an AI — to Invent Attacks, Not Just Find Them</title><link>https://y637f9qq2x.com/posts/researchers-mind-in-ai/</link><guid isPermaLink="true">https://y637f9qq2x.com/posts/researchers-mind-in-ai/</guid><description>AI-driven zero-day finding is spreading fast. This is a report on the harder part: building an AI that autonomously reverse-engineers undocumented Windows internals to invent attack techniques nobody has named — borrowing discovery methods from outside security, doubting its own conclusions, and running unattended for hours without fooling itself.</description><pubDate>Tue, 16 Jun 2026 01:00:00 GMT</pubDate><category>vulnerability-research</category><category>ai-agents</category><category>methodology</category><category>autonomous-research</category></item><item><title>Same Workflow, New Target: AI-Assisted Discovery of CVE-2026-29004 in BusyBox</title><link>https://y637f9qq2x.com/posts/busybox-dhcpv6-heap-overflow/</link><guid isPermaLink="true">https://y637f9qq2x.com/posts/busybox-dhcpv6-heap-overflow/</guid><description>How the same AI analysis workflow that found a zero-day in strongSwan discovered a 9-year-old heap buffer overflow in BusyBox&apos;s DHCPv6 client — plus a full walkthrough of the proof-of-concept development process.</description><pubDate>Tue, 05 May 2026 00:00:00 GMT</pubDate><category>cve</category><category>heap-overflow</category><category>busybox</category><category>vulnerability-research</category></item><item><title>Inside NOFILTER-NFEXEC: A Deep Dive into WFP Implementation and BOF OPSEC Engineering</title><link>https://y637f9qq2x.com/posts/nofilter-nfexec/</link><guid isPermaLink="true">https://y637f9qq2x.com/posts/nofilter-nfexec/</guid><description>A detailed walkthrough of implementing the DEF CON 31 NoFilter WFP technique as an OPSEC-hardened Havoc C2 BOF, including indirect syscalls, return address spoofing, patchless AMSI/ETW bypass, and lessons learned from Havoc BOF development.</description><pubDate>Thu, 23 Apr 2026 00:00:00 GMT</pubDate><category>havoc-c2</category><category>bof-development</category><category>privilege-escalation</category><category>opsec</category></item><item><title>Finding a 15-Year-Old Zero-Day in strongSwan with AI-Assisted Code Analysis</title><link>https://y637f9qq2x.com/posts/cve-2026-25075/</link><guid isPermaLink="true">https://y637f9qq2x.com/posts/cve-2026-25075/</guid><description>How I discovered CVE-2026-25075 — a vulnerability that had been quietly sitting in strongSwan&apos;s codebase since 2011 — using a structured, multi-pass AI analysis workflow.</description><pubDate>Sat, 18 Apr 2026 00:00:00 GMT</pubDate><category>cve</category><category>integer-underflow</category><category>strongswan</category><category>vulnerability-research</category></item></channel></rss>