This is a living document. Everything in this document is made in good faith of being accurate, but like I just said; we don't yet know everything about what's going on.
On March 29th, 2024, a backdoor was discovered in xz-utils, a suite of software that
| (* 这是我(预期,亦或是已经)在 ∞-type càfe summer school 上做的 talk, | |
| "从零教你手把手实现一个 MLTT 类型检查器" | |
| 的内容稿。本 talk 计划以现场边讲解边手写代码的方式实现, | |
| 所以虽然这份内容稿会尽量尝试还原 talk 的思路和逻辑, | |
| 它的内容可能会与实际的 talk 有出入,建议有条件的人直接去听 talk 本身 *) | |
| (* 本次 talk 将会使用 OCaml 来实现一个 MLTT 类型检查器。 | |
| 你可能不会写 OCaml,但这没有关系。本次 talk 只会使用以下的功能: |
| function gc() { for (let i = 0; i < 0x10; i++) { new ArrayBuffer(0x1000000); } } | |
| // (1) convert stuff | |
| var _b = new ArrayBuffer(16); | |
| var _f = new Float64Array(_b); | |
| var _i = new BigUint64Array(_b); | |
| // converts float to big unsigned int | |
| function f2i(f) | |
| { |
The challenge was to achieve RCE with this file:
<?php ($_GET['action'] ?? 'read' ) === 'read' ? readfile($_GET['file'] ?? 'index.php') : include_once($_GET['file'] ?? 'index.php');Some additional hardening was applied to the php installation to make sure that previously known solutions wouldn't work (for further information read this writeup from the challenge author).
I didn't solve the challenge during the competition - here is a writeup from someone who did - but since the idea I had differed from the techniques used in the published writeups I read (and I thought it was cool :D), here is my approach.
Here is the best setup (I think so :D) for K-series Keychron keyboards on Linux.
Note: many newer Keychron keyboards use QMK as firmware and most tips here do not apply to them. Maybe the ones related to Bluetooth can be useful, but everything related to Apple's keyboard module (hid_apple) on Linux, won't work. As far as I know, all QMK-based boards use the hid_generic module instead. Examples of QMK-based boards are: Q, Q-Pro, V, K-Pro, etc.
Most of these commands have been tested on Ubuntu 20.04 and should also work on most Debian-based distributions. If a command happens not to work for you, take a look in the comment section.
Older Keychron keyboards (those not based on QMK) use the hid_apple driver on Linux, even in the Windows/Android mode, both in Bluetooth and Wired modes.
exec - Returns last line of commands output
passthru - Passes commands output directly to the browser
system - Passes commands output directly to the browser and returns last line
shell_exec - Returns commands output
\`\` (backticks) - Same as shell_exec()
popen - Opens read or write pipe to process of a command
proc_open - Similar to popen() but greater degree of control
pcntl_exec - Executes a program
| /** | |
| Simple(ish) example of discord gateway | |
| This code will get to ready, and then remain connected with heartbeats | |
| see https://discordapi.com/topics/gateway for more info | |
| zlib compression is implemented as it will be required in gateway v7 (so get used to it now) | |
| */ | |
| const WebSocket = require('ws'); // npmjs.org/ws | |
| const zlib = require('zlib-sync'); // npmjs.org/zlib-sync | |
| const erlpack = require('erlpack'); // github.com/discordapp/erlpack |
namespaces - overview of Linux namespaces http://man7.org/linux/man-pages/man7/namespaces.7.html
mount_namespaces - overview of Linux mount namespaces