timb-machine

If you don't need persistence, why work so hard?

$ rm /foo; xmldbc -t "test:10:touch /foo"; ls -la /foo; xmldbc -D /tmp/config.xml; sleep 20; ls -la /foo
ls: /foo: No such file or directory
-rw-r--r--    1 root     root             0 Jun  5 22:11 /foo

timb-machine

Say for exmaple, you wanted a cron entry that would run persist.sh every 5 minutes...

$ xmldbc -s /system_mgr/crond/list/count "9"
$ xmldbc -s /system_mgr/crond/list/name:9 "persist"
$ xmldbc -s /system_mgr/crond/persist/count "1"
$ xmldbc -s /system_mgr/crond/persist/item:1/method "3"
$ xmldbc -s /system_mgr/crond/persist/item:1/1 "*/5"
$ xmldbc -s /system_mgr/crond/persist/item:1/2 "*"
$ xmldbc -s /system_mgr/crond/persist/item:1/3 "*"
$ xmldbc -s /system_mgr/crond/persist/item:1/4 "*"

timb-machine

Falcon-sensor strace:

1185 init_module(0x556ce33f8b00, 204357, "") = 0
1185 init_module(0x556ce3430940, 122757, "") = 0
1185 init_module(0x556ce342a950, 24541, "") = 0
1185 init_module(0x7f33243be010, 1718317, "configbuild=1007.8.0012905.1") = 0 

(gdb) catch syscall init_module
(gdb) run
…

timb-machine

$ ssh sshgw.stromberg.org The authenticity of host ‘sshgw.stromberg.org (136.47.201.206)’ can’t be established. RSA key fingerprint is SHA256:VqUUSiSuOQhm+3vrJG9VDb4fWa2dM23Th23T9D88+L4. This key is not known by any other names Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added ‘sshgw.stromberg.org’ (RSA) to the list of known hosts. OpenBSD 7.3 (GENERIC.MP) #0: Thu May 18 19:05:43 MDT 2023

Welcome to OpenBSD: The proactively secure Unix-like operating system.

timb-machine

<?php
if (password_hash("123567890123567890123567890123567890123567890123567890123567890123456789" . "test", PASSWORD_BCRYPT, ["salt" => "1234567890123456789012"]) === password_hash("123567890123567890123567890123567890123567890123567890123567890123456789" . "hell", PASSWORD_BCRYPT, ["salt" => "1234567890123456789012"])) {
	print "matches\n";
}
?>

timb-machine

platformtags:
  - "linux"
checks:
  - type: "Informational"
    checks:
      - name: "Platform"
        exec:
          - command: "uname"
            stderr: true
            encode: ""

timb-machine

Recent:

$ ../../../src/tools/triage-binary.sh fa0defdabd9fd43fe2ef1ec33574ea1af1290bd3d763fdb2bed443f2bd996d73.elf.x86_64 
[Execution, Persistence, Discovery: attack:T1053.006:Systemd Timers, attack:T1543.002:Systemd Service, attack:T1007:System Service Discovery]: /usr/lib/systemd/systemd-journald (1)
[Defense Evasion: attack:T1070.004:File Deletion]: ldterm (1)
[Defense Evasion: attack:T1070.004:File Deletion]: unlink@@GLIBC_2.2.5 (1)
[Defense Evasion: uses:Auditd, attack:T1562.001:Disable or Modify Tools]: /sbin/auditd -n (1)
[Defense Evasion: uses:ProcessTreeSpoofing]: argv0 (1)
[Defense Evasion: uses:ProcessTreeSpoofing]: prctl@@GLIBC_2.2.5 (1)
[Defense Evasion: uses:ProcessTreeSpoofingForking]: fork@@GLIBC_2.2.5 (1)

timb-machine

NDSA20020719.txt.asc, CVE-2002-2331
NDSA20021112.txt.asc, CVE-2002-2399
NDSA20050719.txt.asc
NDSA20060705.txt.asc, CVE-2006-3848
NDSA20070206.txt.asc, CVE-2007-0838
NDSA20070412.txt.asc
NDSA20070524.txt.asc, CVE-2007-3190, CVE-2007-3191, CVE-2007-3189
NDSA20071016.txt.asc, CVE-2007-5691, CVE-2007-5492, CVE-2007-5493, CVE-2007-5694, CVE-2007-5695
NDSA20071119.txt.asc, CVE-2007-6100
NDSA20080215.txt.asc, CVE-2007-4074

timb-machine

$ ./get-attack-patterns.py treasury
I: searching for treasury%20
10
CVE-2017-3183
CVE-2019-0280
CVE-2019-0383
CVE-2019-0384
CVE-2020-6204
CVE-2019-20150
CVE-2019-20151

timb-machine

We start by unpacking the patch. On this occasion it's shipped as an RTE file (an AIX specific backup format), so we need to unpack it on our AIX VM like so:

$ restore -T -f ../invscout.rte
/lpp_name
/usr
/usr/lpp
/usr/lpp/invscout.rte
/usr/lpp/invscout.rte/liblpp.a
/usr/lpp/invscout.rte/inst_root
/usr/lpp/invscout.rte/inst_root/liblpp.a