timb-machine

Falcon-sensor strace:

1185 init_module(0x556ce33f8b00, 204357, "") = 0
1185 init_module(0x556ce3430940, 122757, "") = 0
1185 init_module(0x556ce342a950, 24541, "") = 0
1185 init_module(0x7f33243be010, 1718317, "configbuild=1007.8.0012905.1") = 0 

(gdb) catch syscall init_module
(gdb) run
…

timb-machine

$ ssh sshgw.stromberg.org The authenticity of host ‘sshgw.stromberg.org (136.47.201.206)’ can’t be established. RSA key fingerprint is SHA256:VqUUSiSuOQhm+3vrJG9VDb4fWa2dM23Th23T9D88+L4. This key is not known by any other names Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added ‘sshgw.stromberg.org’ (RSA) to the list of known hosts. OpenBSD 7.3 (GENERIC.MP) #0: Thu May 18 19:05:43 MDT 2023

Welcome to OpenBSD: The proactively secure Unix-like operating system.

timb-machine

<?php
if (password_hash("123567890123567890123567890123567890123567890123567890123567890123456789" . "test", PASSWORD_BCRYPT, ["salt" => "1234567890123456789012"]) === password_hash("123567890123567890123567890123567890123567890123567890123567890123456789" . "hell", PASSWORD_BCRYPT, ["salt" => "1234567890123456789012"])) {
	print "matches\n";
}
?>

timb-machine

platformtags:
  - "linux"
checks:
  - type: "Informational"
    checks:
      - name: "Platform"
        exec:
          - command: "uname"
            stderr: true
            encode: ""

timb-machine

Recent:

$ ../../../src/tools/triage-binary.sh fa0defdabd9fd43fe2ef1ec33574ea1af1290bd3d763fdb2bed443f2bd996d73.elf.x86_64 
[Execution, Persistence, Discovery: attack:T1053.006:Systemd Timers, attack:T1543.002:Systemd Service, attack:T1007:System Service Discovery]: /usr/lib/systemd/systemd-journald (1)
[Defense Evasion: attack:T1070.004:File Deletion]: ldterm (1)
[Defense Evasion: attack:T1070.004:File Deletion]: unlink@@GLIBC_2.2.5 (1)
[Defense Evasion: uses:Auditd, attack:T1562.001:Disable or Modify Tools]: /sbin/auditd -n (1)
[Defense Evasion: uses:ProcessTreeSpoofing]: argv0 (1)
[Defense Evasion: uses:ProcessTreeSpoofing]: prctl@@GLIBC_2.2.5 (1)
[Defense Evasion: uses:ProcessTreeSpoofingForking]: fork@@GLIBC_2.2.5 (1)

timb-machine

NDSA20020719.txt.asc, CVE-2002-2331
NDSA20021112.txt.asc, CVE-2002-2399
NDSA20050719.txt.asc
NDSA20060705.txt.asc, CVE-2006-3848
NDSA20070206.txt.asc, CVE-2007-0838
NDSA20070412.txt.asc
NDSA20070524.txt.asc, CVE-2007-3190, CVE-2007-3191, CVE-2007-3189
NDSA20071016.txt.asc, CVE-2007-5691, CVE-2007-5492, CVE-2007-5493, CVE-2007-5694, CVE-2007-5695
NDSA20071119.txt.asc, CVE-2007-6100
NDSA20080215.txt.asc, CVE-2007-4074

timb-machine

$ ./get-attack-patterns.py treasury
I: searching for treasury%20
10
CVE-2017-3183
CVE-2019-0280
CVE-2019-0383
CVE-2019-0384
CVE-2020-6204
CVE-2019-20150
CVE-2019-20151

timb-machine

We start by unpacking the patch. On this occasion it's shipped as an RTE file (an AIX specific backup format), so we need to unpack it on our AIX VM like so:

$ restore -T -f ../invscout.rte
/lpp_name
/usr
/usr/lpp
/usr/lpp/invscout.rte
/usr/lpp/invscout.rte/liblpp.a
/usr/lpp/invscout.rte/inst_root
/usr/lpp/invscout.rte/inst_root/liblpp.a

timb-machine

We start by unpacking the patch. On this occasion it's shipped as an RTE file (an AIX specific backup format), so we need to unpack it on our AIX VM like so:

$ restore -T -f ../invscout.rte
/lpp_name
/usr
/usr/lpp
/usr/lpp/invscout.rte
/usr/lpp/invscout.rte/liblpp.a
/usr/lpp/invscout.rte/inst_root
/usr/lpp/invscout.rte/inst_root/liblpp.a

timb-machine

#!/bin/sh

find / \( -perm -u+s -o -perm -g+s \) 2>/dev/null | while read line
do
        echo +++ $line
        dump -X 32_64 -T $line 2>/dev/null | grep getenv
done