Eduardo' Vela" <Nava> (sirdarckcat) sirdarckcat

Code for https://chrome.google.com/webstore/detail/ohcfioimjbmanibdlkhbcndkbdibpkpg

/sbin/dhclient Ubuntu AppArmor profile bypass

This document explains how to bypass the /sbin/dhclient AppArmor profile installed in Ubuntu by installing a kernel module. This is a simple task, but I didn't know how to do it before today. Hopefully you find this useful.

Tested on 17.10.1 using the isc-dhcp 4.3.5-3ubuntu2.2 package.

Background

In this advisory, Ubuntu says that the vulnerability

XS-Search Exploit for Secure Messaging Service

Exploit used during Insomni'hack 2018 for team int3pids.

gctf.sh

Usage:

wget https://gist.githubusercontent.com/sirdarckcat/087e32982bd77bddbd9c46ccbc72edf7/raw/gctf.sh && chmod +x gctf.sh
mkdir -p google-ctf-2019
DATABASE_URL=https://gctf-2019-da0962m957mnki9l.firebaseio.com ./gctf.sh google-ctf-2019/ctf
DATABASE_URL=https://gctf-2019-da0962m957mnki9l.firebaseio.com/beginners ./gctf.sh google-ctf-2019/bq

Keybase proof

I hereby claim:

I am sirdarckcat on github.
I am sirdarckcat (https://keybase.io/sirdarckcat) on keybase.
I have a public key ASDI4N0BHgeTf4c7SqQxkNozR3Vh4z-dEdjXqNwXO1n6Xgo

To claim this, I am signing this object:

	application: jquery-mobile-xss
	version: 1
	runtime: python27
	api_version: 1
	threadsafe: yes

	handlers:
	- url: /.*
	script: main.APP

	{<sc{r}ipt.*?>}
	{<sc{r}ipt.?[ /+\t]?((src)\|(xlink:href)\|(href))[ /+\t]*=}
	{<BUTTON[ /+\t].?va{l}ue[ /+\t]=}
	{<fo{r}m.*?>}
	{<OPTION[ /+\t].?va{l}ue[ /+\t]=}
	{<INPUT[ /+\t].?va{l}ue[ /+\t]=}
	{<is{i}ndex[ /+\t>]}
	{<TEXTA{R}EA[ /+\t>]}
	{<.[:]vmlf{r}ame.?[ /+\t]?src[ /+\t]=}
	{<[i]?f{r}ame.?[ /+\t]?src[ /+\t]*=}

	<script>
	window.oncontextmenu=window.onauxclick=window.onclick=function(e){
	with(document.body.appendChild(document.createElement('div'))){
	style.left=e.clientX+'px';
	style.top=e.clientY+'px';
	style.position='absolute';
	style.height='0';
	style.width='0';
	style.opacity='0.1';
	style.boxShadow='0 0 0 '+(Math.random()800+5)+'px #'+Math.floor(Math.random()0xFFFFFF).toString(16);

	var HANDICAP = 10*2;
	var reqs = [];
	function fetchReq() {
	Promise.resolve().then(
	reqs.length?
	reqs.pop():
	_=>0
	).then(
	_=>setTimeout(fetchReq, 1)
	);

	FROM ubuntu:20.04
	RUN apt update && DEBIAN_FRONTEND=noninteractive apt install -y wget git unzip openjdk-8-jdk google-android-platform-24-installer google-android-build-tools-24-installer android-sdk
	RUN cd /usr/lib/android-sdk/build-tools && wget https://dl.google.com/android/repository/build-tools_r24.0.1-linux.zip 2>/dev/null && unzip build-tools_r24.0.1-linux.zip && ls
	RUN git clone https://github.com/k3b/intent-intercept.git
	RUN cd /usr/lib/android-sdk && mkdir cmdline-tools && cd cmdline-tools && wget https://dl.google.com/android/repository/commandlinetools-linux-6514223_latest.zip 2>/dev/null && unzip commandlinetools-linux-6514223_latest.zip && ls -la
	RUN yes \| /usr/lib/android-sdk/cmdline-tools/tools/bin/sdkmanager --licenses
	RUN update-alternatives --set java /usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java
	RUN cd intent-intercept && export ANDROID_HOME=/usr/lib/android-sdk && ./gradlew assembleDebug