wmealing

Abstract

This paper intends to demonstrate how to score the importance of lower impact flaws can be chained together to allow
higher impacting vulnerabilities to be exploited correctly in a single package.  A common vocabulary and scoring system
will be established and a few of the current high-profile exploit chains being used in pwn2win and chrome exploit 
challenge will be explained and scored in this system to show where they lie.
 
1. Introduction

Software vendors analyse and score security flaws based on their existence without considering existing unfixed flaws 

wmealing

/*                                                           */
/* gcc drm_i915_ktsploit.c -o kt -ldrm -I/usr/include/libdrm */
/*             exploit by oxagast                            */
/*                                                           */
//Jun 17 01:22:05 likon kernel: [ 1788.600973] BUG: unable to handle kernel NULL pointer dereference at 0000000000000010
//Jun 17 01:22:05 likon kernel: [ 1788.600982] IP: __sg_alloc_table_from_pages+0xe4/0x1f0
//Jun 17 01:22:05 likon kernel: [ 1788.600984] PGD 0 P4D 0 
//Jun 17 01:22:05 likon kernel: [ 1788.600987] Oops: 0000 [#3] SMP PTI
//Jun 17 01:22:05 likon kernel: [ 1788.600988] Modules linked in: rfcomm appletalk ipx p8023 psnap p8022 llc pci_stub vboxpci(OE) vboxnetadp(OE) vboxnetflt(OE) vboxdrv(OE) snd_hrtimer ccm cmac bnep binfmt_misc arc4 iwlmvm mac80211 hid_multitouch hid_sensor_magn_3d hid_sensor_accel_3d hid_sensor_rotation hid_sensor_incl_3d hid_sensor_als ir_lirc_codec lirc_dev hid_sensor_gyro_3d rtl2832_sdr hid_sensor_trigger industrialio_t

wmealing

== Why eBPF filter operations are privileged in some distributions ?

eBPF is a mechanism in which local users can tell the Linux kernel to attach pseudocode to tracepoints, kprobes, and perf events in the kernel. This pseudocode is later translated into native instructions and executed. Because of this it is heavily used in performance tuning and benchmarking. As this instrumentation can be carried out without recompiling the kernel, eBPF is very attractive for systems where this could be prohibitive either due to cost, downtime, or complexity.

Using eBPF requires calling a syscall, bpf(2). This syscall is used for all eBPF operations like loading programs attaching them to specific events, creating eBPF maps, and access the map contents from tools. At this time, users with CAP_SYS_ADMIN capability in the initial namespace can use the bpf(2) syscall, which is effectively root level privileges.

wmealing

defmodule SecretHandshake do
  @doc """
  Determine the actions of a secret handshake based on the binary
  representation of the given `code`.

  If the following bits are set, include the corresponding action in your list
  of commands, in order from lowest to highest.

  1 = wink
  10 = double blink

wmealing

ERROR: CONFIG: Expected one of these tokens: <end>, '#', 'set ', 'set   ', 'set_from_resource', 'bindsym', 'bindcode', 'bind', 'bar', 'font', 'mode', 'floating_minimum_size', 'floating_maximum_size', 'floating_modifier', 'default_orientation', 'workspace_layout', 'default_border', 'new_window', 'default_floating_border', 'new_float', 'hide_edge_borders', 'for_window', 'assign', 'no_focus', 'focus_follows_mouse', 'mouse_warping', 'focus_wrapping', 'force_focus_wrapping', 'force_xinerama', 'force-xinerama', 'disable_randr15', 'disable-randr15', 'workspace_auto_back_and_forth', 'fake_outputs', 'fake-outputs', 'force_display_urgency_hint', 'focus_on_window_activation', 'show_marks', 'workspace', 'ipc_socket', 'ipc-socket', 'restart_state', 'popup_during_fullscreen', 'exec_always', 'exec', 'client.background', 'client.focused_inactive', 'client.focused', 'client.unfocused', 'client.urgent', 'client.placeholder'
ERROR: CONFIG: (in file /home/wmealing/.i3/config)
ERROR: CONFIG: Line 141: 
ERROR: CONFIG: Line 142: # 

wmealing

  #+BEGIN_SRC sh
  ag 'static int lo_release' .
  #+END_SRC

  #+results:
  : static int lo_release(struct gendisk *disk, fmode_t mode)

  #+NAME:function-match-rhel6
  #+BEGIN_SRC sh
  grep  -h --include='*.c' "static int lo_release" * -R -A 5   

wmealing

http://carnal0wnage.attackresearch.com/
http://www.mcgrewsecurity.com/
http://www.gnucitizen.org/blog/
http://www.darknet.org.uk/
http://www.spylogic.net/
http://taosecurity.blogspot.com.br/
http://www.room362.com/
http://blog.sipvicious.org/
http://blog.portswigger.net/
http://pentestmonkey.net/blog

wmealing

#!/bin/bash

# Move to a location where you don't mind storing the couchdb install files.
cd  /tmp/

EPEL_FILE=epel-release-latest-7.noarch.rpm
COUCH=apache-couchdb-1.6.1.tar.gz

rm -rf epel-release-latest-7.noarch.rpm

wmealing

bonjour madame guillard,

Nous vous confirmons par ce message que'uen limousine vous attendra a l'atroport Nice Cote D'Azure a 21h 30.

Le Trajet entre Nice et Monaco devrait durer environ trente minutes. Vous pouvee evidemment modifier cette reservation a votre  convenience.  Nous restons a votre ent entitre disposition pour toute autre demande.

Hello madame guillard,

We confirm with this message that'uen limousine will be waiting for you at the Nice Cote D'Azure airport at 21h30.

wmealing

#include <stdio.h>
#include <stdio.h>
#include <strings.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <sys/types.h>
#include <sys/wait.h>