Tim Brown timb-machine

## Dumping CrowdStrike's LKM
Falcon-sensor strace:

1185 init_module(0x556ce33f8b00, 204357, "") = 0
1185 init_module(0x556ce3430940, 122757, "") = 0
1185 init_module(0x556ce342a950, 24541, "") = 0
1185 init_module(0x7f33243be010, 1718317, "configbuild=1007.8.0012905.1") = 0

(gdb) catch syscall init_module
(gdb) run
…

## ssh sshgw.stromberg.org

      
              1 file
            
          
              0 forks
            
          
                0 comments
              
            
              0 stars
            
          
                timb-machine
                / ssh sshgw.stromberg.org
            
            
              Last active
              May 10, 2025 16:17
            
              
                ssh sshgw.stromberg.org
              
          
    $ ssh sshgw.stromberg.org
  The authenticity of host ‘sshgw.stromberg.org (136.47.201.206)’ can’t be established.
  RSA key fingerprint is SHA256:VqUUSiSuOQhm+3vrJG9VDb4fWa2dM23Th23T9D88+L4.
  This key is not known by any other names
  Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
  Warning: Permanently added ‘sshgw.stromberg.org’ (RSA) to the list of known hosts.
  OpenBSD 7.3 (GENERIC.MP) #0: Thu May 18 19:05:43 MDT 2023
Welcome to OpenBSD: The proactively secure Unix-like operating system.

  
## Messing with slash-proc
# ps -aef | grep 94
root        94     2  0 Jun16 ?        00:00:00 [kworker/6:1H]
root       594     2  0 Jun16 ?        00:00:00 [ipv6_addrconf]
root      4692  2509  0 01:17 pts/0    00:00:00 grep 94
root     20394     2  0 Oct08 ?        00:00:20 [kworker/u32:2]
# mkdir -p spoof/fd; mount -o bind spoof /proc/94; ln -s socket:\[283\] /proc/94/fd/99; ls -la /proc/94/fd
total 4
drwxr-xr-x   2 root root 4096 Oct  9 01:16 .
dr-xr-xr-x 193 root root    0 Jun 16 17:40 ..
lrwxrwxrwx   1 root root   12 Oct  9 01:16 99 -> socket:[283]

## Example of bcrypt() weakness around input string truncation (the choice of PHP is arbitrary)
<?php
if (password_hash("123567890123567890123567890123567890123567890123567890123567890123456789" . "test", PASSWORD_BCRYPT, ["salt" => "1234567890123456789012"]) === password_hash("123567890123567890123567890123567890123567890123567890123567890123456789" . "hell", PASSWORD_BCRYPT, ["salt" => "1234567890123456789012"])) {
	print "matches\n";
}
?>

## What3Words are offensive
Never mind that what3words has real technical, logistical, practical limitations... Let's look at some of the dark, libellous, illegal and/or downright offensive combinations of /// addressess that their word lists can result in:

* https://what3words.com/mistakes.cost.lives
* https://what3words.com/troll.under.bridge
* https://what3words.com/burn.that.school
* https://what3words.com/lorry.catches.fire
* https://what3words.com/shank.that.police
* https://what3words.com/hang.puppy.quick
* https://what3words.com/master.whips.slave
* https://what3words.com/bullets.into.head

## CVE-2022-36768 for shits and giggles...
We start by unpacking the patch. On this occasion it's shipped as an RTE file (an AIX specific backup format), so we need to unpack it on our AIX VM like so:

$ restore -T -f ../invscout.rte
/lpp_name
/usr
/usr/lpp
/usr/lpp/invscout.rte
/usr/lpp/invscout.rte/liblpp.a
/usr/lpp/invscout.rte/inst_root
/usr/lpp/invscout.rte/inst_root/liblpp.a

## CVE-2022-36768 for shits and giggles... (WIP)
We start by unpacking the patch. On this occasion it's shipped as an RTE file (an AIX specific backup format), so we need to unpack it on our AIX VM like so:

$ restore -T -f ../invscout.rte
/lpp_name
/usr
/usr/lpp
/usr/lpp/invscout.rte
/usr/lpp/invscout.rte/liblpp.a
/usr/lpp/invscout.rte/inst_root
/usr/lpp/invscout.rte/inst_root/liblpp.a

## unix-audit DSL prototype
platformtags:
  - "linux"
checks:
  - type: "Informational"
    checks:
      - name: "Platform"
        exec:
          - command: "uname"
            stderr: true
            encode: ""

## Comparing and contrasting generations of RedMenshen AKA BPFDoor
Recent:

$ ../../../src/tools/triage-binary.sh fa0defdabd9fd43fe2ef1ec33574ea1af1290bd3d763fdb2bed443f2bd996d73.elf.x86_64
[Execution, Persistence, Discovery: attack:T1053.006:Systemd Timers, attack:T1543.002:Systemd Service, attack:T1007:System Service Discovery]: /usr/lib/systemd/systemd-journald (1)
[Defense Evasion: attack:T1070.004:File Deletion]: ldterm (1)
[Defense Evasion: attack:T1070.004:File Deletion]: unlink@@GLIBC_2.2.5 (1)
[Defense Evasion: uses:Auditd, attack:T1562.001:Disable or Modify Tools]: /sbin/auditd -n (1)
[Defense Evasion: uses:ProcessTreeSpoofing]: argv0 (1)
[Defense Evasion: uses:ProcessTreeSpoofing]: prctl@@GLIBC_2.2.5 (1)
[Defense Evasion: uses:ProcessTreeSpoofingForking]: fork@@GLIBC_2.2.5 (1)

## List of CVEs for vulnerability disclosures
NDSA20020719.txt.asc, CVE-2002-2331
NDSA20021112.txt.asc, CVE-2002-2399
NDSA20050719.txt.asc
NDSA20060705.txt.asc, CVE-2006-3848
NDSA20070206.txt.asc, CVE-2007-0838
NDSA20070412.txt.asc
NDSA20070524.txt.asc, CVE-2007-3190, CVE-2007-3191, CVE-2007-3189
NDSA20071016.txt.asc, CVE-2007-5691, CVE-2007-5492, CVE-2007-5493, CVE-2007-5694, CVE-2007-5695
NDSA20071119.txt.asc, CVE-2007-6100
NDSA20080215.txt.asc, CVE-2007-4074
	Falcon-sensor strace:

	1185 init_module(0x556ce33f8b00, 204357, "") = 0
	1185 init_module(0x556ce3430940, 122757, "") = 0
	1185 init_module(0x556ce342a950, 24541, "") = 0
	1185 init_module(0x7f33243be010, 1718317, "configbuild=1007.8.0012905.1") = 0

	(gdb) catch syscall init_module
	(gdb) run
	…
	# ps -aef \| grep 94
	root 94 2 0 Jun16 ? 00:00:00 [kworker/6:1H]
	root 594 2 0 Jun16 ? 00:00:00 [ipv6_addrconf]
	root 4692 2509 0 01:17 pts/0 00:00:00 grep 94
	root 20394 2 0 Oct08 ? 00:00:20 [kworker/u32:2]
	# mkdir -p spoof/fd; mount -o bind spoof /proc/94; ln -s socket:\[283\] /proc/94/fd/99; ls -la /proc/94/fd
	total 4
	drwxr-xr-x 2 root root 4096 Oct 9 01:16 .
	dr-xr-xr-x 193 root root 0 Jun 16 17:40 ..
	lrwxrwxrwx 1 root root 12 Oct 9 01:16 99 -> socket:[283]
	<?php
	if (password_hash("123567890123567890123567890123567890123567890123567890123567890123456789" . "test", PASSWORD_BCRYPT, ["salt" => "1234567890123456789012"]) === password_hash("123567890123567890123567890123567890123567890123567890123567890123456789" . "hell", PASSWORD_BCRYPT, ["salt" => "1234567890123456789012"])) {
	print "matches\n";
	}
	?>
	Never mind that what3words has real technical, logistical, practical limitations... Let's look at some of the dark, libellous, illegal and/or downright offensive combinations of /// addressess that their word lists can result in:

	* https://what3words.com/mistakes.cost.lives
	* https://what3words.com/troll.under.bridge
	* https://what3words.com/burn.that.school
	* https://what3words.com/lorry.catches.fire
	* https://what3words.com/shank.that.police
	* https://what3words.com/hang.puppy.quick
	* https://what3words.com/master.whips.slave
	* https://what3words.com/bullets.into.head
	We start by unpacking the patch. On this occasion it's shipped as an RTE file (an AIX specific backup format), so we need to unpack it on our AIX VM like so:

	$ restore -T -f ../invscout.rte
	/lpp_name
	/usr
	/usr/lpp
	/usr/lpp/invscout.rte
	/usr/lpp/invscout.rte/liblpp.a
	/usr/lpp/invscout.rte/inst_root
	/usr/lpp/invscout.rte/inst_root/liblpp.a
	platformtags:
	- "linux"
	checks:
	- type: "Informational"
	checks:
	- name: "Platform"
	exec:
	- command: "uname"
	stderr: true
	encode: ""
	Recent:

	$ ../../../src/tools/triage-binary.sh fa0defdabd9fd43fe2ef1ec33574ea1af1290bd3d763fdb2bed443f2bd996d73.elf.x86_64
	[Execution, Persistence, Discovery: attack:T1053.006:Systemd Timers, attack:T1543.002:Systemd Service, attack:T1007:System Service Discovery]: /usr/lib/systemd/systemd-journald (1)
	[Defense Evasion: attack:T1070.004:File Deletion]: ldterm (1)
	[Defense Evasion: attack:T1070.004:File Deletion]: unlink@@GLIBC_2.2.5 (1)
	[Defense Evasion: uses:Auditd, attack:T1562.001:Disable or Modify Tools]: /sbin/auditd -n (1)
	[Defense Evasion: uses:ProcessTreeSpoofing]: argv0 (1)
	[Defense Evasion: uses:ProcessTreeSpoofing]: prctl@@GLIBC_2.2.5 (1)
	[Defense Evasion: uses:ProcessTreeSpoofingForking]: fork@@GLIBC_2.2.5 (1)
	NDSA20020719.txt.asc, CVE-2002-2331
	NDSA20021112.txt.asc, CVE-2002-2399
	NDSA20050719.txt.asc
	NDSA20060705.txt.asc, CVE-2006-3848
	NDSA20070206.txt.asc, CVE-2007-0838
	NDSA20070412.txt.asc
	NDSA20070524.txt.asc, CVE-2007-3190, CVE-2007-3191, CVE-2007-3189
	NDSA20071016.txt.asc, CVE-2007-5691, CVE-2007-5492, CVE-2007-5493, CVE-2007-5694, CVE-2007-5695
	NDSA20071119.txt.asc, CVE-2007-6100
	NDSA20080215.txt.asc, CVE-2007-4074