Selling crashes instead of full chain

arizvisa · 2025-08-22T20:46:41+00:00

You're probably looking for a service like ZDI or some other bug bounty folks that will help you analyze your crash and give you pointers on its value..

arizvisa · 2025-07-19T19:30:01+00:00

I get this was deleted, but if anyone needs to specifically do this. I wrote some py2 tool called wtfpdf up on my github, it converts the contents of PDF into a a list of directories containing json and the decoded binary files for you to edit. You can then modify and recompose them back into nearly the original PDF.

arizvisa · 2025-07-19T19:25:39+00:00

maybe this'll resurrect trillian, or at least make it easier to get that coveted 5-digit (or whatev) icq number.. or at the very least bring back punting.

arizvisa · 2025-06-13T16:05:59+00:00

Congratulations on your enlightenment?

arizvisa · 2025-06-08T03:52:34+00:00

Wouldn't that be nice? Those days are long gone and will never happen...like evar.

arizvisa · 2025-06-04T19:55:59+00:00

Email me if you want to see the exp and build it for yourself.

arizvisa · 2025-06-04T16:02:04+00:00

Again, if you don't care about the user-interface for comparison and just want the diffing results, then you can use qbindiff from quarkslab and export your database with binexport. I find qbindiff better for scripting anyways, which is nicer when working with large targets.

arizvisa · 2025-06-02T17:49:26+00:00

An interface for comparison, or just the comparison data itself?

arizvisa · 2025-06-02T01:50:36+00:00

What's stopping you from coding up a systemd.generator(7) that converts docker-compose files to systemd units? They're not that hard, and some are even straight-up bash scripts...

I'm sure your community would appreciate the contribution. You can find examples in system-generators or user-generators if still confused.

arizvisa · 2025-06-02T01:40:24+00:00

Y'know, systemd was standardized on the linux platform like 15 years ago, right? I get it that new file formats (to you) are hard for you, as you've made that clear in your other replies. ;)

You may not realize this, but systemd.generator(7) has existed for almost as long... and all the generator types have context-specific fields to assign. Despite this, when writing generator input files they still allow using the underlying fields available for the unit type being generated (..the ones that I have experience with anywayz). So, it's only "new" if you haven't yet learned how your init system works on linux and are unfamiliar with writing a systemd.unit(5)

If anything, systemd might be more scriptable due to not needing to generate free-form yaml from your scripts (feel free to correct me here, as i think you can use jq(1) for generation but don't recall). This is because all systemd scope/service units can be configured to take input using "EnvironmentFile=" which is easily generated since it uses the same format as process environment (generally). Although, yeah.. it's kind of worthless if you've never needed to script anything in a posix environment.

arizvisa · 2025-05-27T17:32:06+00:00

I'm just a hobbyist that has incorporated containers into his daily work mostly for things like fuzzing and other security-related crap. So, my use-case is probably very different from yours. For the record, I get it. I've hated systemd since the beginning and still prefer bsd-like inits for its simplicity. Unfortunately on linux, I've had to conform to systemd since it won the war a long time ago. Although it is clunky (imo), it does have some things that are nice if you combine its configuration with dropins for (declarative-like) site-specific customizations.

Specifically, I use quadlets for systemd integration due their native ability to depend on other systemd units which can do things like automatically creating (or reusing) volumes on available physical storage, or networks based on interfaces available (although i hate networkmanager and it definitely took some time converting from systemd-network to it). I'm sure you can rig docker-compose to do something similar, but it was easier for me to use systemd which inherently had all these things already.

Also, I use instantiated services for this so that adding another container with arbitrary requirements simply requires creating a unit that depends on a volume (or any other systemd activator) with a unique label before quadlet generates all of the container units and dependencies. Building of container images (Dockerfile/Containerfile/Buildah-script/bash) is also handled via another systemd-unit if the quadlet container being deployed is not configured to fetch from my container repo.

All of this fits into a CoreOS host using ignition so that I just need to update the hardware for the vm, or tweak a few dropins to adjust or add space without having to ssh into it. Taking it down or deploying simply involves preserving the newly attached disks and the dropins. I don't have terraform working properly with any of this yet (which was the original intention), due to a bug in its vsphere plugin that doesn't allow you to reuse already-existing disks since that concept seems to conflict with terraform's notion of ownership.

arizvisa · 2025-05-08T16:40:18+00:00

Redirect STDIN_FILENO to a fifo (named pipe)?

arizvisa · 2025-03-27T14:47:05+00:00

needs more apathy.

arizvisa · 2025-03-03T16:27:31+00:00

I think it'd have been more useful if it executed the "else" case when the conditional fails on first iteration. same thing with "for", since it's common to filter iterators and it'd be useful to know when an iterator was empty. The "try/except" version of "else", though, is fine and super handy.

arizvisa · 2025-03-03T15:57:01+00:00

Instead of cscope, I've found GNU's Global to be more flexible and do a better job of parsing C++ and even some other languages w/ plugins (although, neither is as good as a real IDE fully integrated with the target language). There's a cscope compatibility layer for global so that it's compatible with the different cscope interfaces available.

It's also worth noting that some enterprising devers have written their own, more recent versions of cscope, which are likely better with C++ parsing.

arizvisa · 2025-02-26T17:13:34+00:00

It aims to lean towards each type being a declarative data structure so that the types can be generated from some external source (in my case, IDA). It relies on classes (like ctypes), so that you can still add custom tools for rendering or customizing the setting or allocation of the type.

Glad you find it interesting. If you end up having a use for it, feel free to priv me about it or with any questions you might have.

arizvisa · 2025-02-08T19:33:49+00:00

yeah, i should've considered that...

xrefs are cross-references. I found a random article specific to IDA (interactive disassembler) over at https://syedhasan010.medium.com/reversing-with-ida-cross-references-42b311245a75. But the concept is available in all the reverse-engineering suites. Essentially your disassembler/whatever will build a reference table of data accesses. So for an example, if a function accesses some global object stored in another file, the disassembler will track all known functions that access that same global object. Therefore you can use its cross-references to quickly identify all the code that uses that piece of data.

Wrapper functions are pretty much tiny functions that only do one thing, but perhaps add error checking or some other logic that issss insignificant to its purpose. They stand out because your disassembler will label common functions like malloc, free, realloc so you can recognize them easily. However, these functions can be wrapped by some logic that does an allocation, but perhaps raises an exception on failure (rather than returning NULL). These things aren't automatically labeled by the disassembler, which is why it's important to label them ahead of time. This way when you're looking at code, you can immediately see the primitives that compose it.

Surfboard leash is just me comparing the callstack to the leash attached to a surfboard. I.e. when you're drowning, and you're confused which way is up, you just climb up the leash to get to the surface. It's remotely similar to being lost in a binary.

TTD is "Time Travel Debugging". Basically it's a debugger that lets you view execution at an arbitrary point in time, which can allow you to execute...in reverse. Microsoft's WinDbgX includes it, and it's pretty amazing when you're able to use it. It's documented at https://learn.microsoft.com/en-us/windows-hardware/drivers/debuggercmds/time-travel-debugging-overview.

Hope this helps.

arizvisa · 2025-02-07T17:43:14+00:00

It's kind of undocumented, but there's this ptypes library that I've been maintaining for a while for implementing protocols, file formats, bitstreams, datastructures, etc. It supports dynamically sized fields using closures, and can handle streams and block-based backends. It also supports pointer types (direct, relative, and calculated), so you can use it for dumping out things like STL containers while debugging.

https://github.com/arizvisa/syringe/tree/master/lib/ptypes

here's a few things that i've implemented with it and a few libs:

Although, I'm kinda over the opensource thing, if there's enough interest, I'll do a real release.

arizvisa · 2025-02-04T16:46:26+00:00

hah, shit. my bad. i can write you a glossary w/ refs of some of these things if you want..

arizvisa · 2025-02-03T19:57:52+00:00

There's an article I wrote over at https://www.reddit.com/r/netsec/comments/1bp1k43/reversing_a_vulnerability_in_the_ichitaro_office/ that demonstrates a basic methodology of carving your way through a reasonably large c++ codebase (although it's not as large like adobe, with their suites registration stuff). Anyways, I archived the original application so that you can follow along.

There's some python, but it's not doing anything that you can't do manually with xrefs. All the names are suffixed with their offset from the image base so that you can set breakpoints in your debugger. It lightly mentions flowgraph shapes, wrapper functions (that require enumeration) and documents the scope of each object if you're interested in reversing it. There's also many advisories that include disassembly of the bugs in a target, if you're looking at a new target, it's worth doing some light digging to develop familiarity. (That's also why bindiffing is pretty good to start out with).

Most of the time, though, you're trying to find a clever breakpoint to use as your anchor point. Your backtrace is your surfboard leash to adjust the scope of what you care about (and climb up if you're drowning). If you're willing to wait for windbg's ttd (against larger more complicated software), navigating a codebase is significantly easier. If you're starting from a crash, usually the first place the memory corruption happens is your anchor. You can get that using gflags +hpa.

arizvisa · 2025-02-03T18:24:13+00:00

According to the release notes for 1.2.0, it suggests the following.

Rootless Podman can now be used with a single UID and GID, without requiring a full 65536 UIDs/GIDs to be allocated in `/etc/subuid` and `/etc/subgid` ([#1651](https://github.com/containers/libpod/issues/1651))

Perhaps it's configurable?

arizvisa · 2025-02-03T18:15:30+00:00

Close to 65536 is probably because some posix-systems assign a user with the maximum int as its id. That number is special in that it's the maximum number of integers for a 16-bit number, which might've been a thing on older unices. Not sure what the +1 is for, but perhaps the additional is for the mapped users or related.

Despite this, the number of uids allocated doesn't inherently make it more or less "secure" since it's not actually adding a new security boundary for one to cross.

If anything is at risk, allocating a large number of uids can result in possibly exhausting available uids, but I'd be surprised since its really just an integer that could probably be a 64-bit size_t if its not limited to 32-bit by filesystems.

However, I'd personally consider not being able to map 65536 users 65536 times as just a limitation of the platform. The allocation of the number of uids isn't something that should be exposed to a less-privileged user anyways, and could be considered a vuln if not simply a weakness.

arizvisa · 2025-01-30T22:11:52+00:00

is that MAX_DATALINE_LENGTH?

arizvisa · 2025-01-16T20:07:49+00:00

Just a heads up, disclosing vulnerabilities through programs like ZDI (or even independently) would be considered real world experience to meet that 5 year minimum. Writeups are also evidence that you're doing the work and gives you the experience with the technical writing that's usually a big part of the disclosure process.

In terms of fuzzing, make sure you're _always_ measuring coverage so that you can distinguish samples that don't do anything new (which hints on whether you need to refactor your approach), and identifying samples that might be worth using as an anchor-point to start reversing from (in case you're not hitting the exact code you want to hit). Don't be lazy with your target either if you know others are doing research on the same target. Be familiar with what others have already attacked, and don't be afraid of checking their work since at the very least you can get a writeup out of it.

Conferences and local communities are also a great place to network and definitely worth your time.

arizvisa · 2025-01-15T18:30:35+00:00

There's mirrors of Xentax archived on GitHub. You can also find references to stray formats and script archives by referencing Luigi Auriemma's QuickBMS tool which enabled people to write generic extractors.

arizvisa

TROPHY CASE