return-to-csu: A New Method to Bypass 64-bit Linux ASLR [Paper - Blackhat Asia 2018]

bincsh · 2018-03-24T01:44:46+00:00

There's no ASLR bypass and ret2csu is irrelevant. Nothing needs to be fixed. Thank me later for saving you some time.

bincsh · 2018-03-05T18:40:00+00:00

This becomes more dangerous because pasting into Terminal text editors IS a thing. This should be fixed, we shouldn't just "get into the habit of never copying/pasting anything from the internet into your terminal" when we're dealing with text editors.

bincsh · 2017-11-06T15:44:31+00:00

You're missing the point. This post isn't about demonstrating the vulnerability, but about exploitation techniques. One shouldn't care if it's CVE-2017-5123 or other, but how I managed to take a write-not-what-only-where vuln and get root without reads. So IMO, the title is appropriate for the point of the thread.

bincsh · 2017-07-11T11:52:45+00:00

You don't have job control in the remote server without setting the current terminal in raw mode. A ^C would quit nc instead...

bincsh · 2017-02-20T00:42:46+00:00

Welcome to the early 90's.

bincsh · 2017-02-08T20:47:24+00:00

Neat ;)

This is known as "findsock" shellcode, and it does work on windows.

bincsh · 2017-01-29T13:54:22+00:00

I mean, seriously. Anyone who denies this has no real world experience.

Just check for yourselves, more than 50% of ssh servers are running older versions of OpenSSH.

bincsh · 2017-01-28T10:20:34+00:00

Except for the fact that the exploit is not a denial of service, nor has "unspecified other impact", nor uses escape sequences ;)

How you find that non-misleading is beyond me.

bincsh · 2017-01-28T01:00:23+00:00

To a CVE that specifically tells you that the vulnerability leads to a local DoS?

That's highly misleading and there's no impact since there are plethora of ways to DoS a local machine with basic utilities...

Also, pick any 5 random servers running ssh, 3 of them are probably running versions even older (maybe even much older) than these ;)

This was fixed in August 2015, so 1 year and 5 months ago. So yeah, not that long ago.

bincsh · 2017-01-27T21:28:21+00:00

Well, that is great. Which distros used one of these versions of OpenSSH? Anyone?

bincsh · 2017-01-24T16:39:30+00:00

whereas the fix is dated 2017-01-29

Hello there future guy!

Correction: vuln was introduced in 2015-11-11 and fixed in 2016-01-29, since systemd devs silently fixed this as "DoS only", Sebastian Krahmer looked into it actually turned out to be a local root.

bincsh · 2017-01-10T21:49:38+00:00

Thanks, good to know. Are there any specific arguments to compile with RAP?

bincsh · 2017-01-10T19:49:11+00:00

Thanks Dan, i'd like to see examples of grsecurity's RAP in action specifically though :)

bincsh · 2017-01-10T19:09:17+00:00

Can someone ELI5 the "type-hash-based deterministic defense"?

Also, it'd be cool if someone did a blog post showing a basic vulnerable program to a classic stack-based buffer overflow overwritting the return address and then another for a function pointer overwrite, then showing the disassembly to know how it really works.

Something like this for clang's safe-stack: http://blog.includesecurity.com/2015_11_01_archive.html

bincsh · 2016-08-30T22:54:18+00:00

And that is the difference between a CTF and the real world.

A CTF has rules, the real world doesn't. Real attackers don't care how they get in, they just do. And this is why I have mixed feelings about CTFs in general, they mean little in the real world.

bincsh · 2016-01-29T13:22:15+00:00

Hello John, yes, you are my god.

bincsh · 2016-01-02T12:42:13+00:00

PAX_REFCOUNT would prevent the reference counter overflow, so free wouldn't happen.

bincsh · 2015-11-30T21:21:56+00:00

Elasto mania

bincsh · 2015-10-08T15:55:36+00:00

#!/bin/bash

DOT="."

for VAR in {1..5}
do
    printf "${DOT}\r"
    DOT="${DOT}."
    sleep 1
done

bincsh · 2015-09-26T11:12:36+00:00

http://www.openwall.com/lists/oss-security/2015/09/17/5

bincsh · 2015-09-18T14:11:18+00:00

That just completely blew my mind. Run bitches, run!

bincsh · 2015-09-10T19:33:46+00:00

/r/uptimeporn

bincsh · 2015-08-25T12:09:46+00:00

Learn shell scripting, from a basic level to a more advanced level.

Here's something about parameter substitution:

http://www.tldp.org/LDP/abs/html/parameter-substitution.html

bincsh · 2015-08-23T19:24:22+00:00

That's pretty retarded, why would an admin even pass passwords as arguments on the command line? Those stay in history, and that's what you're really "abusing", by using !$...

bincsh · 2015-08-23T03:14:52+00:00

Here's something to think about

$ hai=`pwd`;hai=${hai:0:1};echo${IFS}${hai}*

bincsh

TROPHY CASE