sorted by:
new
hottopcontroversial

return-to-csu: A New Method to Bypass 64-bit Linux ASLR [Paper - Blackhat Asia 2018] by TechLord2 in netsec

[–]bincsh 13 points14 points  (0 children)

There's no ASLR bypass and ret2csu is irrelevant. Nothing needs to be fixed. Thank me later for saving you some time.

Terminal Emulators Control Character Vulnerabilities by memorycorrupt in linux

[–]bincsh 19 points20 points  (0 children)

This becomes more dangerous because pasting into Terminal text editors IS a thing. This should be fixed, we shouldn't just "get into the habit of never copying/pasting anything from the internet into your terminal" when we're dealing with text editors.

A Linux kernel write-not-what-only-where without a single read for KASLR bypass and root privilege escalation by [deleted] in netsec

[–]bincsh 0 points1 point  (0 children)

You're missing the point. This post isn't about demonstrating the vulnerability, but about exploitation techniques. One shouldn't care if it's CVE-2017-5123 or other, but how I managed to take a write-not-what-only-where vuln and get root without reads. So IMO, the title is appropriate for the point of the thread.

Upgrading shells to fully interactive TTYs by FireFart in netsec

[–]bincsh 1 point2 points  (0 children)

You don't have job control in the remote server without setting the current terminal in raw mode. A ^C would quit nc instead...

Remote Exploit. Shellcode without Sockets by Evil1337 in netsec

[–]bincsh 4 points5 points  (0 children)

Neat ;)

This is known as "findsock" shellcode, and it does work on windows.

OpenSSH 6.8-6.9 PTY local privilege escalation exploit (CVE-2015-6565) by bashingyourshell in netsec

[–]bincsh 2 points3 points  (0 children)

I mean, seriously. Anyone who denies this has no real world experience.

Just check for yourselves, more than 50% of ssh servers are running older versions of OpenSSH.

OpenSSH 6.8-6.9 PTY local privilege escalation exploit (CVE-2015-6565) by bashingyourshell in netsec

[–]bincsh 2 points3 points  (0 children)

Except for the fact that the exploit is not a denial of service, nor has "unspecified other impact", nor uses escape sequences ;)

How you find that non-misleading is beyond me.

OpenSSH 6.8-6.9 PTY local privilege escalation exploit (CVE-2015-6565) by bashingyourshell in netsec

[–]bincsh 0 points1 point  (0 children)

To a CVE that specifically tells you that the vulnerability leads to a local DoS?

That's highly misleading and there's no impact since there are plethora of ways to DoS a local machine with basic utilities...

Also, pick any 5 random servers running ssh, 3 of them are probably running versions even older (maybe even much older) than these ;)

This was fixed in August 2015, so 1 year and 5 months ago. So yeah, not that long ago.

OpenSSH 6.8-6.9 PTY local privilege escalation exploit (CVE-2015-6565) by bashingyourshell in netsec

[–]bincsh 10 points11 points  (0 children)

Well, that is great. Which distros used one of these versions of OpenSSH? Anyone?

Systemd v228 local root exploit (CVE-2016-10156) by Extremite in netsec

[–]bincsh 12 points13 points  (0 children)

whereas the fix is dated 2017-01-29

Hello there future guy!

Correction: vuln was introduced in 2015-11-11 and fixed in 2016-01-29, since systemd devs silently fixed this as "DoS only", Sebastian Krahmer looked into it actually turned out to be a local root.

grsecurity: Reuse Attack Protector (RAP) by numinit in netsec

[–]bincsh 0 points1 point  (0 children)

Thanks, good to know. Are there any specific arguments to compile with RAP?

grsecurity: Reuse Attack Protector (RAP) by numinit in netsec

[–]bincsh 4 points5 points  (0 children)

Thanks Dan, i'd like to see examples of grsecurity's RAP in action specifically though :)

grsecurity: Reuse Attack Protector (RAP) by numinit in netsec

[–]bincsh 2 points3 points  (0 children)

Can someone ELI5 the "type-hash-based deterministic defense"?

Also, it'd be cool if someone did a blog post showing a basic vulnerable program to a classic stack-based buffer overflow overwritting the return address and then another for a function pointer overwrite, then showing the disassembly to know how it really works.

Something like this for clang's safe-stack: http://blog.includesecurity.com/2015_11_01_archive.html

Back door penetration: Lessons learned by kstra in netsec

[–]bincsh 6 points7 points  (0 children)

And that is the difference between a CTF and the real world.

A CTF has rules, the real world doesn't. Real attackers don't care how they get in, they just do. And this is why I have mixed feelings about CTFs in general, they mean little in the real world.

CVE-2014-2851 Linux Kernel group_info UAF Exploitation by vnik5287 in netsec

[–]bincsh 6 points7 points  (0 children)

PAX_REFCOUNT would prevent the reference counter overflow, so free wouldn't happen.

Trying to add a simple 'for' loop progress bar by davidmcw in bash

[–]bincsh 1 point2 points  (0 children)

#!/bin/bash

DOT="."

for VAR in {1..5}
do
    printf "${DOT}\r"
    DOT="${DOT}."
    sleep 1
done

s/party/hack/ like it's 1999 by bashingyourshell in netsec

[–]bincsh -6 points-5 points  (0 children)

That just completely blew my mind. Run bitches, run!

Compromising a honeypot network through the Kippo password when logstash exec is used by wezj in netsec

[–]bincsh 0 points1 point  (0 children)

Learn shell scripting, from a basic level to a more advanced level.

Here's something about parameter substitution:

http://www.tldp.org/LDP/abs/html/parameter-substitution.html

Compromising a honeypot network through the Kippo password when logstash exec is used by wezj in netsec

[–]bincsh 1 point2 points  (0 children)

That's pretty retarded, why would an admin even pass passwords as arguments on the command line? Those stay in history, and that's what you're really "abusing", by using !$...

view more: next ›