Tim Brown timb-machine
timb-machine
/ CVE-2022-36768 for shits and giggles... (WIP)
Last active
January 4, 2024 22:42
CVE-2022-36768 for shits and giggles... (WIP)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| We start by unpacking the patch. On this occasion it's shipped as an RTE file (an AIX specific backup format), so we need to unpack it on our AIX VM like so: | |
| $ restore -T -f ../invscout.rte | |
| /lpp_name | |
| /usr | |
| /usr/lpp | |
| /usr/lpp/invscout.rte | |
| /usr/lpp/invscout.rte/liblpp.a | |
| /usr/lpp/invscout.rte/inst_root | |
| /usr/lpp/invscout.rte/inst_root/liblpp.a |
timb-machine
/ CVE-2022-36768 for shits and giggles...
Last active
January 4, 2024 22:44
CVE-2022-36768 for shits and giggles...
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| We start by unpacking the patch. On this occasion it's shipped as an RTE file (an AIX specific backup format), so we need to unpack it on our AIX VM like so: | |
| $ restore -T -f ../invscout.rte | |
| /lpp_name | |
| /usr | |
| /usr/lpp | |
| /usr/lpp/invscout.rte | |
| /usr/lpp/invscout.rte/liblpp.a | |
| /usr/lpp/invscout.rte/inst_root | |
| /usr/lpp/invscout.rte/inst_root/liblpp.a |
timb-machine
/ Hunting for AIX getenv() victims
Created
December 16, 2022 23:30
Hunting for AIX getenv() victims
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| find / \( -perm -u+s -o -perm -g+s \) 2>/dev/null | while read line | |
| do | |
| echo +++ $line | |
| dump -X 32_64 -T $line 2>/dev/null | grep getenv | |
| done |
timb-machine
/ Abusing sudo vim to create setUIDs you control
Last active
December 13, 2022 15:22
Abusing sudo vim to create setUIDs you control
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ sudo chown root foo | |
| Password: | |
| $ sudo chmod u+rwxs foo | |
| $ ls -la foo | |
| -rwsr--r-- 1 root staff 0 13 Dec 15:19 foo | |
| $ sudo vi foo | |
| $ ls -la foo | |
| -rwsr--r-- 1 root staff 1711088 13 Dec 15:19 foo |
timb-machine
/ Analysis of ATT&CK v12 bugs
Created
December 4, 2022 07:47
Analysis of ATT&CK v12 bugs
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Top 10 bugs: | |
| CVE-2014-7169,8 | |
| CVE-2016-6662,8 | |
| CVE-2012-0158,9 | |
| cve-2017-8759,10 | |
| CVE-2017-8625,11 | |
| CVE-2017-8759,13 | |
| cve-2021-32648,15 | |
| CVE-2015-3113,21 |
timb-machine
/ ATT&CK v11 vs v12 for Linux
Created
October 25, 2022 19:29
ATT&CK v11 vs v12 for Linux
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ jq '.objects[] | select(.type | contains("attack-pattern")) | select(.x_mitre_platforms[] | contains("Linux")) | .name' enterprise-attack-11.0.json | sort | uniq > 11.out | |
| $ jq '.objects[] | select(.type | contains("attack-pattern")) | select(.x_mitre_platforms[] | contains("Linux")) | .name' enterprise-attack-12.0.json | sort | uniq > 12.out | |
| $ diff 11.out 12.out | |
| 33a34,36 | |
| > "Clear Mailbox Data" | |
| > "Clear Network Connection History and Configurations" | |
| > "Clear Persistence" | |
| 93a97 | |
| > "Embedded Payloads" | |
| 145c149 |
timb-machine
/ Bulk rename my mirror repos to reference original org
Created
October 22, 2022 15:56
Bulk rename my mirror repos to reference original org
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| gh repo list timb-machine-mirrors --fork -L 1230 --json name | tr "," "\n" | cut -f 4 -d "\"" | while read line | |
| do | |
| org=`gh repo view timb-machine-mirrors/$line --json parent | tr "," "\n" | grep login | cut -f 4 -d "\""` | |
| name=`gh repo view timb-machine-mirrors/$line --json parent | tr "," "\n" | grep name | cut -f 4 -d "\""` | |
| if [ "$line" != "$org-$name" ] | |
| then | |
| gh repo rename -y -R "timb-machine-mirrors/$line" "$org-$name" | |
| fi | |
| done |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # ps -aef | grep 94 | |
| root 94 2 0 Jun16 ? 00:00:00 [kworker/6:1H] | |
| root 594 2 0 Jun16 ? 00:00:00 [ipv6_addrconf] | |
| root 4692 2509 0 01:17 pts/0 00:00:00 grep 94 | |
| root 20394 2 0 Oct08 ? 00:00:20 [kworker/u32:2] | |
| # mkdir -p spoof/fd; mount -o bind spoof /proc/94; ln -s socket:\[283\] /proc/94/fd/99; ls -la /proc/94/fd | |
| total 4 | |
| drwxr-xr-x 2 root root 4096 Oct 9 01:16 . | |
| dr-xr-xr-x 193 root root 0 Jun 16 17:40 .. | |
| lrwxrwxrwx 1 root root 12 Oct 9 01:16 99 -> socket:[283] |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Unix.Trojan.Mirai$ ls *.elf.* | wc -l | |
| 65 | |
| Unix.Trojan.Mirai$ clamscan *.elf.* | grep Unix.Trojan.Mirai | wc -l | |
| 65 | |
| Unix.Trojan.Mirai$ wc -l triage/* | |
| 2 triage/00bbe47a7af460fcd2beb72772965e2c3fcff93a91043f0d74ba33c92939fe9d.elf.x86.triage | |
| 1 triage/0cb8d3af19c50201db3a63329d66ff18c3208135a40a237b98886f5d87f706bb.elf.x86.triage | |
| 2 triage/11242cdb5dac9309a2f330bd0dad96efba9ccc9b9d46f2361e8bf8e4cde543c1.elf.m68k.triage | |
| 11 triage/12330634ae5c2ac7da6d8d00f3d680630d596df154f74e03ff37e6942f90639e.elf.arm.triage | |
| 17 triage/190333b93af51f9a3e3dc4186e4f1bdb4f92c05d3ce047fbe5c3670d1b5a87b4.elf.sparc.triage |
timb-machine
/ Triaging Linux malware with respect to ATT&CK
Created
September 4, 2022 18:49
Triaging Linux malware with respect to ATT&CK
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ src/tools/triage-binary.sh malware/binaries/BPFDoor/dc8346bf443b7b453f062740d8ae8d8d7ce879672810f4296158f90359dcae3a.elf.sparc | |
| [Privilege Escalation, Persistence: Unix Shell]: /usr/bin/bash (1) | |
| [Persistence: Path Interception by PATH Environment Variable]: PATH=/bin:/usr/kerberos/sbin:/usr/kerberos/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/usr/X11R6/bin:./bin (1) | |
| [Persistence: Dynamic Linker Hijacking]: /usr/lib/ld.so.1 (1) | |
| [Credential Access: Network Sniffing]: pcap_compile (2) | |
| [Credential Access: Network Sniffing]: pcap_geterr (2) | |
| [Credential Access: Network Sniffing]: pcap_loop (2) | |
| [Credential Access: Network Sniffing]: pcap_open_live (2) | |
| [Credential Access: Network Sniffing]: pcap_setfilter (2) | |
| [Defense Evasion: LM: Non-persistant Storage]: /var/run/haldrund.pid (1) |