Skip to content

Instantly share code, notes, and snippets.

@yrp604
yrp604 / unimpl.py
Last active Oct 30, 2020
binja unimplemented instructions snip
View unimpl.py
#unlifted instructions
#
from collections import defaultdict
from binaryninja.enums import LowLevelILOperation
unlifted = defaultdict(list)
print('unlifted instructions in bndb')
for ll in bv.llil_instructions:
@yrp604
yrp604 / ida695sdk-macos1012.md
Last active Dec 27, 2017
IDA 6.95 SDK on macOS 10.12
View ida695sdk-macos1012.md

Instructions for compiling the IDA 6.95 SDK on macOS 10.12 with Xcode 8

I have no idea if this is the best way to do this (is it really required to compile QT?) but it works for me. This is also reconstructed from the history of a few terminal windows, so it's entirely possible I'm forgetting something.

Start by following the install_linux.txt instructions. You'll need to copy libida.dylib and libida64.dylib into bin in the SDK root. Additionally, that bin directory should be in you PATH. Finally make bin/idamake.pl executable. All of these is covered in the SDK docs.

@yrp604
yrp604 / xnu-syscall-life-amd64.md
Last active Sep 18, 2021
The life of an XNU unix syscall on amd64
View xnu-syscall-life-amd64.md

XNU syscall path

Chart

             +------------------+
             |These push their  |                                  +-----------------------+
             |respective syscall|                                  |This overwrites the    |
             |dispatch functions|                                  |saved dispatch function|
             |onto the stack    |                                  |with hndl_alltraps     |
View cfi-notes.md

Starting in clang 3.7 they've introduced a new argument -fsanitize=cfi which aims to protect indirect calls from overwrites.

All the code and binaries I used can be downloaded here

Protecting C Function pointers

First, I thought I would look at how CFI applied to simple C structs with function pointers. After fighting with the compiler to get it to stop optimizing my code, (i.e. call <puts> instead of call rcx because clang realized that rcx was always going to be puts(3)) I got it calling things from memory. However, there was no CFI protection on the call. I played around with this a bit (interestingly, clang will optimize use of un-initialized memory to the ud2 instruction) but was unable to get any CFI protection in place.

Protection C++ virtual calls

Reading a bit of the clang manual, it talked a lot about C++ virtual methods, so I thought I would look at those. I also played around with non virtual calls, those were replaced with static cal

@yrp604
yrp604 / safe-stack-notes.md
Last active Mar 29, 2017
Safe Stack Notes
View safe-stack-notes.md

Note: I've only briefly read the related CPI paper (PDF), this is just initial impressions after playing around with it a bit.

All the code and binaries I used can be downloaded here. Note that I removed -DFORTIFY_SOURCE=2 to make the examples a bit simpler.

-fsanitize=safe-stack basically seems to move stack based buffers off the actual stack, onto another segment of memory (I'll call it the fake stack). The actual stack then stores references to this segment. For example:

char buf[20];
printf("%p\n", buf);
View gist:e4c7f896b834b3da65ae
Kreading klist:
Attack the Core - http://www.amazon.com/Guide-Kernel-Exploitation-Attacking-Core/dp/1597494860
Kernel Exploitation Notes - http://phrack.org/issues/64/6.html#article
Stack Jacking - https://jon.oberheide.org/blog/2011/04/20/stackjacking-your-way-to-grsec-pax-bypass/
Smashing the Kernel Stack for Fun and Profit- http://phrack.org/issues/60/6.html
A XNU Hope - http://phrack.org/issues/64/11.html
Core Security OpenBSD IPv6 Remote Kernel Exploit - http://www.coresecurity.com/content/open-bsd-advisorie
802.11 Wireless Vulnerabilities on Windows - http://www.uninformed.org/?v=6&a=2&t=sumry
Abusing Mach on OS X - http://www.uninformed.org/?v=4&a=3&t=sumry