Fernando Muñoz fmunozs

## gist:b2c32f97f08cee211319e24216db6458

$ ./zsh -c 'a="a=n++";((a))'

=================================================================
==13566==ERROR: AddressSanitizer: heap-use-after-free on address 0xb61056d5 at pc 0x08205bb8 bp 0xbfffe1c8 sp 0xbfffe1bc
READ of size 1 at 0xb61056d5 thread T0
    #0 0x8205bb7 in matheval (/root/fuzzshell/zsh+0x8205bb7)
    #1 0x8270cd4 in getnumvalue (/root/fuzzshell/zsh+0x8270cd4)
    #2 0x82050ca  (/root/fuzzshell/zsh+0x82050ca)
    #3 0x82059f0 in matheval (/root/fuzzshell/zsh+0x82059f0)

## gist:af3268fd5a6eda8392d2773b20754b94
## Debian mksh version
user@deb64:~/mksh/mksh$ mksh
$ echo $KSH_VERSION
@(#)MIRBSD KSH R59 2021/07/10

user@deb64:~/mksh/mksh$ mksh < file
mksh: no closing quote
Segmentation fault

## mksh from master

## mksh segfaults
# mksh -c 'echo ${0/}'
Segmentation fault

(gdb) run -c 'echo ${0/}'
Starting program: /root/fuzzshell/mksh -c 'echo ${0/}'

Program received signal SIGSEGV, Segmentation fault.
0x0804ba3c in findptr (ap=0x201b60, ptr=0x8201a7c "/root/fuzzshell/mksh", lpp=<synthetic pointer>) at ../../lalloc.c:59
59		while (ap->next != lp)
(gdb) bt

## sslnull
OpenSSL Null pointer Dereference
=================================
I *think* anything below 1.0.2 is affected. I didn't have time to report it
but noticed that the last update doesn't crash anymore, so I guess one of
the recently fixed CVE's fixed this too [1].

[1] https://www.openssl.org/news/secadv_20150319.txt

(old) Openssl on OSX
====================

## mailclient.py
#!/usr/bin/python
# -*- coding: utf-8 -*-

# simple script to open all urls found in a new email
# useful to automate client side exploits on a pentesting lab
# author: fmunozs http://github.com/fmunozs

import os
import sys
import imaplib

## keybase.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                fmunozs
                / keybase.md
            
            
              Created
              October 19, 2014 19:57
            
          
    Keybase proof

I hereby claim:

I am fmunozs on github.
I am bef0rd (https://keybase.io/bef0rd) on keybase.
I have a public key whose fingerprint is 3D03 3279 9B23 C562 3C6F  7383 BB0C AB84 4A77 D063

To claim this, I am signing this object:

  
## shell
$ mksh -c 'echo 1111111111111111111111111111111111111>1'
Segmentation fault (core dumped)

$ gdb mksh
GNU gdb (GDB) 7.8
Copyright (C) 2014 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.

## hustler mod
var http = require('http');
var https = require('https');
var get = require('get');

var fs = require('fs');

var hustlers = [];
var bounties = [];

/*

	$ ./zsh -c 'a="a=n++";((a))'

	=================================================================
	==13566==ERROR: AddressSanitizer: heap-use-after-free on address 0xb61056d5 at pc 0x08205bb8 bp 0xbfffe1c8 sp 0xbfffe1bc
	READ of size 1 at 0xb61056d5 thread T0
	#0 0x8205bb7 in matheval (/root/fuzzshell/zsh+0x8205bb7)
	#1 0x8270cd4 in getnumvalue (/root/fuzzshell/zsh+0x8270cd4)
	#2 0x82050ca (/root/fuzzshell/zsh+0x82050ca)
	#3 0x82059f0 in matheval (/root/fuzzshell/zsh+0x82059f0)
	## Debian mksh version
	user@deb64:~/mksh/mksh$ mksh
	$ echo $KSH_VERSION
	@(#)MIRBSD KSH R59 2021/07/10

	user@deb64:~/mksh/mksh$ mksh < file
	mksh: no closing quote
	Segmentation fault

	## mksh from master
	# mksh -c 'echo ${0/}'
	Segmentation fault

	(gdb) run -c 'echo ${0/}'
	Starting program: /root/fuzzshell/mksh -c 'echo ${0/}'

	Program received signal SIGSEGV, Segmentation fault.
	0x0804ba3c in findptr (ap=0x201b60, ptr=0x8201a7c "/root/fuzzshell/mksh", lpp=<synthetic pointer>) at ../../lalloc.c:59
	59 while (ap->next != lp)
	(gdb) bt
	OpenSSL Null pointer Dereference
	=================================
	I think anything below 1.0.2 is affected. I didn't have time to report it
	but noticed that the last update doesn't crash anymore, so I guess one of
	the recently fixed CVE's fixed this too [1].

	[1] https://www.openssl.org/news/secadv_20150319.txt

	(old) Openssl on OSX
	====================
	#!/usr/bin/python
	# -- coding: utf-8 --

	# simple script to open all urls found in a new email
	# useful to automate client side exploits on a pentesting lab
	# author: fmunozs http://github.com/fmunozs

	import os
	import sys
	import imaplib
	$ mksh -c 'echo 1111111111111111111111111111111111111>1'
	Segmentation fault (core dumped)

	$ gdb mksh
	GNU gdb (GDB) 7.8
	Copyright (C) 2014 Free Software Foundation, Inc.
	License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
	This is free software: you are free to change and redistribute it.
	There is NO WARRANTY, to the extent permitted by law. Type "show copying"
	and "show warranty" for details.
	var http = require('http');
	var https = require('https');
	var get = require('get');

	var fs = require('fs');

	var hustlers = [];
	var bounties = [];

	/*