Bash – Bazz's Code Developments

Stay out of the logs — /var/log/auth.log

By michaelbazzinott001 Posted on October 24, 2014 Posted in Bash, C No Comments

PROBLEM: the auth.log gets appended to after logging out… Oct 24 00:38:23 gateway sshd[1801]: pam_unix(sshd:session): session closed for user root You can erase all other traces but not that… Let’s try adding a process right before logging out, and NOHUP’ing …

Stay out of the logs — /var/log/auth.log Read more »

Hacking Apply – Pt. V

By michaelbazzinott001 Posted on October 15, 2014 Posted in Asm, Bash, buffer overflow, C, Sparc/Solaris, Uncategorized No Comments

crucial address: right after the gets() in Acct: 0x11518 The exploit wasn’t working. The segfault was caused by another thing. Reg mess. Luckily, the only reg we need to restore to normal is %o3 must put a good value into …

Hacking Apply – Pt. V Read more »

Pearl — Hacking Apply Pt III

By michaelbazzinott001 Posted on October 15, 2014 Posted in Bash, buffer overflow, C, Sparc/Solaris No Comments

First was to obtain the source code from blade72, /sources/apply-1.2 This wasn’t advertised, I happened to be digging around the filesystem one day and accidently stumbled upon it :) fortunately it’s pre-compiled.. I move the sources to my own box.. …

Pearl — Hacking Apply Pt III Read more »

Holy Mother of Pearl – Pt. II

By michaelbazzinott001 Posted on October 15, 2014 Posted in Bash, buffer overflow, Sparc/Solaris No Comments

Now let’s start perfecting our exploit: The above is the typical Stack range for a 32-bit sparc app in 64-bit kernel. That’s as specific as I care for.. We can create a guesser program to, based on nop-sled size, slice …

Holy Mother of Pearl – Pt. II Read more »

Holy Mother of Pearl — SPARC Exploitation Excerpts!

By michaelbazzinott001 Posted on October 14, 2014 Posted in Bash, buffer overflow, Sparc/Solaris No Comments

SO, back to exploiting the userland gets() function. Vulnerable Test Prog This invoke scripts helps me keep the stack offset the same whether I run the program in GDB or not.. Note: it doesn’t work that well on my Sun …

Holy Mother of Pearl — SPARC Exploitation Excerpts! Read more »

OS X After patching shellshock, Xquartz fails + sh: line 6: `BASH_FUNC_rvm_debug%%’: not a valid identifier

By michaelbazzinott001 Posted on October 11, 2014 Posted in Bash, OSX No Comments

After patching my /bin/bash with https://shellshocker.net/ scripts, I noticed some odd things. When I did an ssh -X, I would see this: Then X would start up after performing an X app, and I would get this in XQuartz: Then, quartz …

OS X After patching shellshock, Xquartz fails + sh: line 6: `BASH_FUNC_rvm_debug%%’: not a valid identifier Read more »

Finding all suid programs on Sparc machine leads to Pwnage

By michaelbazzinott001 Posted on October 3, 2014 Posted in Bash, Sparc/Solaris No Comments

Find all Suid programs on disk Example Output I love it!! It led to me find this gem on the server: FMI: we notice that some binaries are different size: The added module.. What’s gecos? Turns out that this is …

Finding all suid programs on Sparc machine leads to Pwnage Read more »

[POC] [Shellshock] Bash SSHD PreAuth Remote Exploit

By michaelbazzinott001 Posted on September 26, 2014 Posted in Bash No Comments Tagged with auth, bash, exploit, openssh, POC, post, postauth, pre, shell, shellshock, shock, ssh, sshd, vulnerability

The hype around the ShellShock bash exploit is circulating everywhere. Some have proven methods of: BAD DHCP server Remote code execution in CGI scripts However, most research suggests that the SSH daemon is only susceptible to the shell shock exploit …

[POC] [Shellshock] Bash SSHD PreAuth Remote Exploit Read more »

Category: Bash