Skip to content

Instantly share code, notes, and snippets.

View o0xmuhe's full-sized avatar
🐦
咕咕咕

o0xmuhe o0xmuhe

🐦
咕咕咕
View GitHub Profile
@axt
axt / bbhit.c
Last active September 18, 2020 07:56
Naive hit tracer implementation using DynamoRIO.
/*
* Naive hit tracer implementation using DynamoRIO.
*
* Author: axt
*
* Build it with the following commands:
* gcc -Dbbhit_EXPORTS -DSHOW_RESULTS -DSHOW_SYMBOLS -fPIC -I../include -I../ext/include -DX86_64 -DLINUX -O2 -fno-stack-protector -o bbhit.c.o -c bbhit.c
* gcc -fPIC -O2 -DX86_64 -DLINUX -fno-stack-protector -fPIC -shared -lgcc -Wl,--hash-style=both -shared -Wl,-soname,libbbhit.so -o libbbhit.so bbhit.c.o ../lib64/debug/libdynamorio.so.4.2 ../ext/lib64/debug/libdrsyms.so
*/
#include <stddef.h>

Your First Format String Attacks.

1. What's the `Format String Bugs'?

 Format String Bugs(以降, FSBとする)とは, sprintf()fprintf()などのprintf関数群やsyslog()などのFormat Strings(以降, 書式指定子とする)を扱える関数において, ユーザが自由に書式指定子を配置できるバグである. これを利用した攻撃手法をFormat String Attacksと呼び, この攻撃によりターゲットとなるプロセスがアクセス可能な任意のメモリの読み書きが行えるようになる. また, それを利用しプログラムの制御を乗っ取ることも可能である.
 実際のプログラムに多く存在するとは到底言えないような脆弱性ではあるが稀に見つかることはある. CVE-2012-0809[1]ではsudoのデバッグ機能にFSBが見つかり, 実際にlocal exploitが公開されたりもした. 前述の通り珍しいものではあるが, 任意のメモリの書き換えができるなど非常に強力なものであることからCTFではよく題材にされる.
 この記事ではFSBの検証に以下の環境を使用した.

sh-4.3$ uname -a
Linux Arch_Laptop 4.0.4-1-ARCH #1 SMP PREEMPT Mon May 18 06:43:19 CEST 2015 x86_64 GNU/Linux
@bazad
bazad / build-xnu-4570.1.46.sh
Created October 6, 2017 21:24
A script to build XNU version 4570.1.46 (macOS High Sierra 10.13).
#! /bin/bash
#
# build-xnu-4570.1.46.sh
# Brandon Azad
#
# A script showing how to build XNU version 4570.1.46 on MacOS High Sierra
# 10.13 with Xcode 9.
#
# Note: This process will OVERWRITE files in Xcode's MacOSX10.13.sdk. Make a
# backup of this directory first!
@mgeeky
mgeeky / xml-attacks.md
Last active November 13, 2024 10:21
XML Vulnerabilities and Attacks cheatsheet

XML Vulnerabilities

XML processing modules may be not secure against maliciously constructed data. An attacker could abuse XML features to carry out denial of service attacks, access logical files, generate network connections to other machines, or circumvent firewalls.

The penetration tester running XML tests against application will have to determine which XML parser is in use, and then to what kinds of below listed attacks that parser will be vulnerable.


@stefanesser
stefanesser / BHEU.markdown
Last active July 8, 2024 08:41
BlackHat EU - Wrong information in Talk "Eternal War in XNU Kernel Objects"

It has come to my attention that BlackHat EU had talks from Alibaba Security about iOS security topics. It seems to be from the same people that have previously presented at DEFCON. Back then I had publicly discussed how their talk is basically just a summary of other people's work that is heavily miscredited to the wrong people.

Considering this history it is surprising that BlackHat would allow the same people to give a talk again on iOS security topics. But I have given up a long time ago on the BlackHat review board and their decisions, which is one of the reasons why I have stopped submitting to them years ago.

But I am digressing from the actual reason for this GIST. And no it is not about the fact that the talk once again starts with summarizing other people's work and crediting the wrong parties for the work done. In this GIST I want to go over one of the slides from the "summary part" of the talk, because not a single item on that slide is correct information.

So here is the offending slide:

![Fr

@knightsc
knightsc / build-xnu-4903.221.2.sh
Last active August 25, 2019 12:07
A script to build XNU version 4903.221.2 (macOS Mojave 10.14.1).
#! /bin/bash
#
# build-xnu-4903.221.2.sh
# Scott Knight
#
# Based on the script by Brandon Azad
# https://gist.github.com/bazad/654959120a423b226dc564073b435453
#
# A script showing how to build XNU version 4903.221.2 on macOS Mojave
# 10.14 with Xcode 10.1.
@MattPD
MattPD / analysis.draft.md
Last active November 12, 2024 06:46
Program Analysis Resources (WIP draft)
@0x09AL
0x09AL / netscaler_exploit.py
Created January 13, 2020 11:12
Citrix ADC / NetScaler Remote Command Execution
import requests
import sys
import time
append_value = str(time.time())
print "# By 0x09AL - MDSec ActiveBreach \n"
def upload_file(url,payload):
endpoint = url + "/vpns/portal/scripts/newbm.pl"
@knightsc
knightsc / build-xnu-6153.11.26.sh
Created February 18, 2020 15:08
A script to build XNU version 6153.11.26 (macOS Catalina 10.15).
#! /bin/bash
#
# build-xnu-6153.11.26.sh
# Scott Knight
#
# Based on the script by Brandon Azad
# https://gist.github.com/bazad/654959120a423b226dc564073b435453
#
# A script showing how to build XNU version 6153.11.26 on macOS Catalina
# 10.15 with Xcode 11.13.1.
@Cryptogenic
Cryptogenic / ip6_expl_poc.c
Last active June 25, 2021 08:24
Kernel exploit POC (Proof-of-Concept) for IP6_EXTHDR_CHECK double free (CVE-2020-9892). Interleaves with multi-threads for code exec. Mainly a reference for PS4 implementation.
/*
* IP6_EXTHDR_CHECK Double Free (CVE-2020-9892) Exploit PoC for FreeBSD 9.0
* https://github.com/google/security-research/security/advisories/GHSA-gxcr-cw4q-9q78
* -
* Bug credit: Andy Nguyen (@theflow0)
* Exploit credit: @SpecterDev, @tihmstar
* Thanks: @sleirsgoevy, @littlelailo, flatz (@flat_z), @balika011
* -
* Build: gcc -o expl ip6_expl_poc.c -pthread
* -