| This playbook has been removed as it is now very outdated. |
| Instructions for 10.9 are in the works. | |
| Install and configure brew | |
| $ ruby -e "$(curl -fsSkL raw.github.com/mxcl/homebrew/go)" | |
| $ touch ~/.bashrc | |
| $ echo "export CFLAGS=\"-arch x86_64\"" >> ~/.bashrc | |
| $ echo "export ARCHFLAGS=\"-arch x86_64\"" >> ~/.bashrc | |
| $ source ~/.bashrc | |
| $ brew update | |
| $ brew doctor |
Thanks to Jacob Kaplan-Moss, Donald Stufft, David Reid, Allen Short, Zain Memon, and Chris Armstrong for review.
This is a guide for technical individuals to understand in what circumstances SSL communications are secure against an observer-in-the-middle (for all intents and purposes: the NSA).
© 2014 Mantas Mikulėnas <grawity@gmail.com>
This documentation is released under Creative Commons 3.0 Attribution license.
This is a description of server-server protocol, intended for ircd and services developers. For the client-server protocol descriptions, intended for client & bot developers, see the IRCv3 [sasl-3.1][] and [sasl-3.2][] specifications.
| ## Redis Lua 5.1 sandbox escape 32-bit Linux exploit | |
| ## Original exploit by corsix and sghctoma | |
| ## Author: @c3c | |
| ## It's possible to abuse the Lua 5.1 sandbox to obtain RCE by loading modified bytecode | |
| ## This concept is fully explained on corsix' gist at https://gist.github.com/corsix/6575486 | |
| ## This version uses pieces of the 32-bit Windows exploit made by corsix and the 64-bit Linux exploit made by sghctoma; as expected, a few offsets were different | |
| ## sghctoma's exploit uses the arbitrary memory read to leak pointers to libc and find the address of "system" http://paper.seebug.org/papers/Security%20Conf/Defcon/2015/DEFCON-23-Tamas-Szakaly-Shall-We-Play-A-Game.pdf | |
| ## This code is much the same, except the process is done using pwntools' DynELF | |
| ## Furthermore, attempting to leak addresses in libc appears to cause segfaults on my 32-bit Linux, in which case, you will need to obtain the remote libc version |
The badge of the Syscan 2015 conference included an ARM-based STM32F030R8 processor running some challenges. Although SWD pins are accessible on the badge, some have noted that the STM32 is readout-protected, meaning that it will refuse to dump its flash memory.
Fortunately, two researchers (Johannes Obermaier and Stefan Tatschner) recently published a paper at the WOOT '17 conference, in which they reveal a vulnerability allowing to bypass the readout protection. Their technique allows to dump the flash one DWORD at a time, rebooting the CPU between each access.
I implemented this attack using a BusPirate and the PySWD module. Here is a quick'n dirty PoC to
| #!/usr/bin/python2 | |
| from random import randint, choice | |
| from gmpy2 import is_prime # pip install gmpy2 | |
| import operator | |
| ### Code from ROCA | |
| primes = [3, 5, 7, 11, 13, 17, 19, 23, 29, 31, 37, 41, 43, 47, 53, 59, 61, 67, 71, 73, 79, 83, 89, 97, 101, | |
| 103, 107, 109, 113, 127, 131, 137, 139, 149, 151, 157, 163, 167] | |
| prints = [6, 30, 126, 1026, 5658, 107286, 199410, 8388606, 536870910, 2147483646, 67109890, 2199023255550, |
| #include <sys/types.h> | |
| #include <sys/stat.h> | |
| #include <sys/mman.h> | |
| #include <errno.h> | |
| #include <fcntl.h> | |
| #include <stdio.h> | |
| #include <stdint.h> | |
| #include <string.h> | |
| #define ARRAYSIZE(x) (sizeof(x) / sizeof(*x)) |
| ''' Provides a very basic (read: shitty) FT2232H SWD implementation. ''' | |
| import time | |
| import logging | |
| import binascii | |
| from struct import pack | |
| from struct import unpack | |
| from operator import xor | |
| from pyftdi.gpio import GpioController |
