axt

/*
 * Naive hit tracer implementation using DynamoRIO.
 * 
 * Author: axt
 * 
 * Build it with the following commands:
 *	gcc  -Dbbhit_EXPORTS -DSHOW_RESULTS -DSHOW_SYMBOLS -fPIC -I../include -I../ext/include  -DX86_64 -DLINUX  -O2 -fno-stack-protector -o bbhit.c.o  -c bbhit.c
 *	gcc  -fPIC -O2  -DX86_64 -DLINUX -fno-stack-protector -fPIC -shared -lgcc -Wl,--hash-style=both -shared -Wl,-soname,libbbhit.so -o libbbhit.so bbhit.c.o ../lib64/debug/libdynamorio.so.4.2 ../ext/lib64/debug/libdrsyms.so
 */
#include <stddef.h>

hhc0null

Your First Format String Attacks.

1. What's the `Format String Bugs'?

　Format String Bugs(以降, FSBとする)とは, sprintf()やfprintf()などのprintf関数群やsyslog()などのFormat Strings(以降, 書式指定子とする)を扱える関数において, ユーザが自由に書式指定子を配置できるバグである. これを利用した攻撃手法をFormat String Attacksと呼び, この攻撃によりターゲットとなるプロセスがアクセス可能な任意のメモリの読み書きが行えるようになる. また, それを利用しプログラムの制御を乗っ取ることも可能である.
　実際のプログラムに多く存在するとは到底言えないような脆弱性ではあるが稀に見つかることはある. CVE-2012-0809[1]ではsudoのデバッグ機能にFSBが見つかり, 実際にlocal exploitが公開されたりもした. 前述の通り珍しいものではあるが, 任意のメモリの書き換えができるなど非常に強力なものであることからCTFではよく題材にされる.
　この記事ではFSBの検証に以下の環境を使用した.

sh-4.3$ uname -a
Linux Arch_Laptop 4.0.4-1-ARCH #1 SMP PREEMPT Mon May 18 06:43:19 CEST 2015 x86_64 GNU/Linux

bazad

#! /bin/bash
#
# build-xnu-4570.1.46.sh
# Brandon Azad
#
# A script showing how to build XNU version 4570.1.46 on MacOS High Sierra
# 10.13 with Xcode 9.
#
# Note: This process will OVERWRITE files in Xcode's MacOSX10.13.sdk. Make a
# backup of this directory first!

mgeeky

XML Vulnerabilities

XML processing modules may be not secure against maliciously constructed data. An attacker could abuse XML features to carry out denial of service attacks, access logical files, generate network connections to other machines, or circumvent firewalls.

The penetration tester running XML tests against application will have to determine which XML parser is in use, and then to what kinds of below listed attacks that parser will be vulnerable.

---

ChiChou

#!/usr/local/bin/python3

import sys
import os
import base64
import frida


def main():
    host = frida.get_local_device()

stefanesser

It has come to my attention that BlackHat EU had talks from Alibaba Security about iOS security topics. It seems to be from the same people that have previously presented at DEFCON. Back then I had publicly discussed how their talk is basically just a summary of other people's work that is heavily miscredited to the wrong people.

Considering this history it is surprising that BlackHat would allow the same people to give a talk again on iOS security topics. But I have given up a long time ago on the BlackHat review board and their decisions, which is one of the reasons why I have stopped submitting to them years ago.

But I am digressing from the actual reason for this GIST. And no it is not about the fact that the talk once again starts with summarizing other people's work and crediting the wrong parties for the work done. In this GIST I want to go over one of the slides from the "summary part" of the talk, because not a single item on that slide is correct information.

So here is the offending slide:

![Fr

knightsc

#! /bin/bash
#
# build-xnu-4903.221.2.sh
# Scott Knight
#
# Based on the script by Brandon Azad
# https://gist.github.com/bazad/654959120a423b226dc564073b435453
#
# A script showing how to build XNU version 4903.221.2 on macOS Mojave
# 10.14 with Xcode 10.1.

MattPD

Program Analysis Resources

(draft; work in progress)

See also:

• Compilers
  • correctness
• Program analysis:
• Dynamic analysis - instrumentation, translation, sanitizers

0x09AL

import requests
import sys
import time

append_value = str(time.time())

print "# By 0x09AL - MDSec ActiveBreach \n"

def upload_file(url,payload):
	endpoint = url + "/vpns/portal/scripts/newbm.pl"

knightsc

#! /bin/bash
#
# build-xnu-6153.11.26.sh
# Scott Knight
#
# Based on the script by Brandon Azad
# https://gist.github.com/bazad/654959120a423b226dc564073b435453
#
# A script showing how to build XNU version 6153.11.26 on macOS Catalina
# 10.15 with Xcode 11.13.1.