Bash – Bazz's Code Developments

Stay out of the logs — /var/log/auth.log

By michaelbazzinott001 Posted on October 24, 2014 Posted in Bash, C No Comments

PROBLEM: the auth.log gets appended to after logging out… Oct 24 00:38:23 gateway sshd[1801]: pam_unix(sshd:session): session closed for user root You can erase all other traces but not that… Let’s try adding a process right before logging out, and NOHUP’ing …

Stay out of the logs — /var/log/auth.log Read more »

Hacking Apply – Pt. V

By michaelbazzinott001 Posted on October 15, 2014 Posted in Asm, Bash, buffer overflow, C, Sparc/Solaris, Uncategorized No Comments

crucial address: right after the gets() in Acct: 0x11518 The exploit wasn’t working. The segfault was caused by another thing. Reg mess. Luckily, the only reg we need to restore to normal is %o3 must put a good value into …

Hacking Apply – Pt. V Read more »

Pearl — Hacking Apply Pt III

By michaelbazzinott001 Posted on October 15, 2014 Posted in Bash, buffer overflow, C, Sparc/Solaris No Comments

First was to obtain the source code from blade72, /sources/apply-1.2 This wasn’t advertised, I happened to be digging around the filesystem one day and accidently stumbled upon it :) fortunately it’s pre-compiled.. I move the sources to my own box.. …

Pearl — Hacking Apply Pt III Read more »

Holy Mother of Pearl – Pt. II

By michaelbazzinott001 Posted on October 15, 2014 Posted in Bash, buffer overflow, Sparc/Solaris No Comments

Now let’s start perfecting our exploit: STACK RANGE 0xFFBEE000 . . 0xFFBEE800 . . 0xFFBEF000 . . 0xFFBEF800 . 0xFFBF0000 The above is the typical Stack range for a 32-bit sparc app in 64-bit kernel. That’s as specific as I …

Holy Mother of Pearl – Pt. II Read more »

Holy Mother of Pearl — SPARC Exploitation Excerpts!

By michaelbazzinott001 Posted on October 14, 2014 Posted in Bash, buffer overflow, Sparc/Solaris No Comments

SO, back to exploiting the userland gets() function. Vulnerable Test Prog #include <stdio.h> unsigned long get_sp( void ) { __asm__("or %sp,%sp,%r1"); // %r1 may have to be %i0 in some circumstances?? weirdness.. } void copy( ){ char buf[256]; gets(buf); } …

Holy Mother of Pearl — SPARC Exploitation Excerpts! Read more »

OS X After patching shellshock, Xquartz fails + sh: line 6: `BASH_FUNC_rvm_debug%%’: not a valid identifier

By michaelbazzinott001 Posted on October 11, 2014 Posted in Bash, OSX No Comments

After patching my /bin/bash with https://shellshocker.net/ scripts, I noticed some odd things. When I did an ssh -X, I would see this: sh: line 6: `BASH_FUNC_rvm_debug%%’: not a valid identifier Then X would start up after performing an X app, and …

OS X After patching shellshock, Xquartz fails + sh: line 6: `BASH_FUNC_rvm_debug%%’: not a valid identifier Read more »

Finding all suid programs on Sparc machine leads to Pwnage

By michaelbazzinott001 Posted on October 3, 2014 Posted in Bash, Sparc/Solaris No Comments

Find all Suid programs on disk find -follow -user root -perm -4000 -exec ls -lLdb {} \; 2>/dev/null Example Output -r-sr-xr-x 1 root 7240 Apr 10 2003 /usr/lib/utmp_update -r-s–x–x 1 root 19696 Oct 29 2003 /usr/lib/lp/bin/netpr -r-s–x–x 1 root 6848 …

Finding all suid programs on Sparc machine leads to Pwnage Read more »

[POC] [Shellshock] Bash SSHD PreAuth Remote Exploit

By michaelbazzinott001 Posted on September 26, 2014 Posted in Bash No Comments Tagged with auth, bash, exploit, openssh, POC, post, postauth, pre, shell, shellshock, shock, ssh, sshd, vulnerability

The hype around the ShellShock bash exploit is circulating everywhere. Some have proven methods of: BAD DHCP server Remote code execution in CGI scripts However, most research suggests that the SSH daemon is only susceptible to the shell shock exploit …

[POC] [Shellshock] Bash SSHD PreAuth Remote Exploit Read more »

Category: Bash