timb-machine

function Get-Sigs($directorypath = $pwd, [string[]]$patternstring = "*.exe") {
	foreach ($fileitem in Get-ChildItem $directorypath)) {
		if ($patternstring | Where { $fileitem -Like $_ }) {
			Get-AuthenticodeSignature $fileitem.FullName
		}
		if (Test-Path $fileitem.FullName -PathType Container) {
			Get-Sigs $fileitem.FullName $patternstring
		}
	}
}

timb-machine

# socat unix-connect:/var/run/avahi-daemon/socket stdin
FUCK
+ FUCK: Go fuck yourself!

timb-machine

$ cat dakami_rng.html.out | awk '{print $2}' | grep "[0-9]" | perl -e 'my %foo; while (<>) { $_ =~ s/\x0a//g; $_ =~ s/\x0d//g; if ($foo{$_} == undef) { $foo{$_} = 0 } $foo{$_} ++ }; foreach $key (keys %foo) { print $key . ":" . $foo{$key} . "\n"; }' | more | sort -n:
0:391
1:409
2:397
3:379
4:389
...

timb-machine

#include <dlfcn.h>
#include <stdio.h>

int main(int argc, char **argv) {
	void *libraryhandle;
	int (*functionpointer)(void *, void *, void *, void *, void *, void *, void *, void *, void *);
	int functionresult;
	libraryhandle = dlopen(argv[1], RTLD_NOW);
	functionpointer = dlsym(libraryhandle, argv[2]);
	functionresult = functionpointer(argv[3] ? argv[3] : NULL, argv[4] ? argv[4] : NULL, argv[5] ? argv[5] : NULL, argv[6] ? argv[6] : NULL, argv[7] ? argv[7] : NULL, argv[8] ? argv[8] : NULL, argv[9] ? argv[9] : NULL, argv[10] ? argv[10] : NULL, argv[11] ? argv[11] : NULL);

timb-machine

On Linux:

$ date && touch foo && chmod u+xs foo && sudo chown 0:0 foo && ls -l foo && date
Sun 26 Apr 15:10:58 BST 2015
-rwxr--r-- 1 root root 0 Apr 26 15:10 foo
Sun 26 Apr 15:10:58 BST 2015

On other OS (iOS in this case):

$ date && touch foo && chmod u+xs foo && sudo chown 0:0 foo && ls -l foo && date

timb-machine

$ ./sploit 2000 $$
maximumleak: 2000
target: 14876824
... ...........n .......bash.......4.....Sq...NQ...@..../usr/lib/libiconv.a.shr4.o.....4.....R........> ..../usr/lib/libi18n.a.shr.o.......0.....R....-u.RQ(..#4/usr/lib/nls/loc/en_US.....4.....Q.....>..f....(/usr/lib/libcrypt.a.shr.o......0.....f.......5p...../usr/lib/libdl.a.shr.o.....8...........P.e.0..HV/usr/lib/libcurses.a.shr42.o.utd...<.....M.......)....?./usr/lib/libpthreads.a.shr_xpg5.o......<.....Q....1_.$....! /usr/lib/libpthreads.a.shr_comm.o.ip.............=...x....eh/usr/lib/threads/libc.a.shr.o...rc.teboot.d........2.......S.(..rc.trustedboot.............3.......r. ..rc.wpars...........4......... ..resolv.conf........5......... ..route.....[`.......6.......-....rpc........7......... ..rpc.pcnfsd.c.......8.......D....rpm........9......... ..rsvpd.conf.........:......... ..screenrc...........;.......P. ..securetcpip........<......... ..security...........=.......v. ..sendmail.cf........>......... ..services...........?........

timb-machine

$ find / -type s | ./UNIXSocketScanner.pl -x 5 -p ./probes -n /usr/share/nmap/nmap-service-probes
...
/tmp/akonadi-xxx.HoHuFd/mysql.socket
+ matches nmap-response-mysql
+ matches nmap-probe-NULL
/tmp/akonadi-xxx.HoHuFd/akonadiserver.socket
/tmp/ksocket-xxx/klauncherMT5682.slave-socket
/tmp/ksocket-xxx/kio_http_cache_cleaner
/tmp/ksocket-xxx/kdeinit4__0
/tmp/.ICE-unix/5725

timb-machine

$ sudo ./biscuit.py
[@] biscuit> scan
['/dev/ttyUSB0']
[@] biscuit> select /dev/ttyUSB0
[@/dev/ttyUSB0] biscuit> open
[@/dev/ttyUSB0 *] biscuit> available
['modules/local/ATTRACE.py', 'modules/local/BaudRate.py', 'modules/local/RunScript.py', 'modules/local/Terminal.py']
[@/dev/ttyUSB0 *] biscuit> use modules/local/ATTRACE.py
ATTRACE
[ATTRACE@/dev/ttyUSB0 *] biscuit> show

timb-machine

$ sudo getcap `which ping`
sudo getcap `which ping`
[sudo] password for xx: 
/bin/ping = cap_net_raw+ep

timb-machine

FreeBSD 9.2-RC1:

$ nc -n -vv -l -p 9090 | hexdump -C
listening on [any] 9090 ...
connect to [192.168.x.y] from (UNKNOWN) [192.168.124.194] 52680
00000000  68 65 6c 6c 6f 0a 00 00  00 00 00 00 00 00 00 00  |hello...........|
 sent 0, rcvd 30
00000010  00 00 00 00 00 00 00 00  00 00 00 00 00 00        |..............|
0000001e