On Mon, Dec 24, 2012 at 7:39 AM, Jason A. Donenfeld ja...@zx2c4.com wrote:
realizing. I'm copying the author on this email, as he may want to
include a warning message where nieve folks like myself can see it, or
document these somewhere if they're not already, or at least apply the
two
On Mon, Dec 24, 2012 at 7:39 AM, Jason A. Donenfeld ja...@zx2c4.com wrote:
hashes. A simple google search of
inurl:wp-content/plugins/w3tc/dbcache and maybe some other magic
An astute reader writes to me privately that the /plugins/ part of
that googledork isn't correct, and that the best way
Hi all,
From the developers' description [1], W3 Total Cache is:
The most complete WordPress performance framework.
Recommended by web hosts like: MediaTemple, Host Gator, Page.ly and WP Engine
and countless more.
Trusted by countless sites like: stevesouders.com, mattcutts.com,
On Mon, Aug 13, 2012 at 5:41 PM, Richard Miles
richard.k.mi...@googlemail.com wrote:
- Calls a file with a suid file without full path?
No.
- Allows to create a symbolic link inside
/Applications/Viscosity.app/Contents/Resources/ with the name of
ViscosityHelper?
No.
BTW, this file
On Mon, Aug 13, 2012 at 6:02 PM, Richard Miles
richard.k.mi...@googlemail.com wrote:
Thanks for fast reply. I'm still unsure if I understood properly.
Please reply on list.
Yes, it does exist. When you run Viscosity for the first time, it makes
that file SUID.
So, you only have one chance
This one is dead simple.
Exploit: http://git.zx2c4.com/Viscatory/tree/viscatory.sh
Demo: http://www.youtube.com/watch?v=cw2_j6wKwlQ
Product: http://www.thesparklabs.com/viscosity/
___
Full-Disclosure - We believe in it.
Charter:
Tunnel Blick is a fun punching bag. Lots of possible exploits.
Lots of vulnerable SUID code:
http://code.google.com/p/tunnelblick/source/search?q=openvpnstart.morigq=openvpnstart.mbtnG=Search+Trunk
One such exploit: http://git.zx2c4.com/Pwnnel-Blicker/tree/pwnnel-blicker.c
Bla bla
In case there was any debate over what I meant by fun punching bag,
here's a shell script that gets root by a different vector:
http://git.zx2c4.com/Pwnnel-Blicker/tree/pwnnel-blicker-for-kids.sh
http://www.youtube.com/watch?v=8DUNWEzaL2U
You can also fool the program into loading arbitrary
On Tue, Jan 24, 2012 at 10:10, Jeffrey Walton noloa...@gmail.com wrote:
Does ptrace defeat -fPIE?
No. When I find the offset via ptrace, I do this in a different /bin/su
than the one I eventually use for injection. This is because when you
ptrace an executable, if it is SUID, it will *drop*
I started on a ptrace based way of finding things, but I'm a bit of a
novice in this area. It's not working yet, but progress is here:
http://git.zx2c4.com/CVE-2012-0056/tree/exit-ptrace-finder.c
Any pointers?
On Mon, Jan 23, 2012 at 04:05, Jason A. Donenfeld ja...@zx2c4.com wrote:
Well done
Someone made an android version: https://github.com/saurik/mempodroid
On Sun, Jan 22, 2012 at 19:19, Jason A. Donenfeld ja...@zx2c4.com wrote:
Hey Everyone,
I did a detailed write-up on exploiting CVE-2012-0056 that some of
y'all might appreciate. Pretty fun bug to play with -- dup2ing all
On Mon, Jan 23, 2012 at 04:55, Jason A. Donenfeld ja...@zx2c4.com wrote:
Never seen checksec. Cool.
As it turns out, Fedora seems to do a good job at compiling (all? not
sure) their suid executables with -pie.
Revision. It does in fact work with fedora. /usr/bin/gpasswd.
http://git.zx2c4
\x6a\x3c\x58\x0f\x05);
2012/1/23 Jason A. Donenfeld ja...@zx2c4.com:
I started on a ptrace based way of finding things, but I'm a bit of a
novice
in this area. It's not working yet, but progress is here:
http://git.zx2c4.com/CVE-2012-0056/tree/exit-ptrace-finder.c
Any pointers
with shellcode.
sh-4.2#
http://git.zx2c4.com/CVE-2012-0056/tree/mempodipper.c
On Tue, Jan 24, 2012 at 08:35, Jason A. Donenfeld ja...@zx2c4.com wrote:
I really couldn't really decipher the python without squinting, and I
decided I didn't really like this method of going about it; it seems a bit
fuzzy. I
Hey Everyone,
I did a detailed write-up on exploiting CVE-2012-0056 that some of
y'all might appreciate. Pretty fun bug to play with -- dup2ing all
over the place for the prize of getting to write arbitrary process
memory into su :-).
The write up is available on my blog here:
=1077l2167l0l2282l7l4l0l0l0l0l148l403l2.2l4l0
On Sun, Jan 22, 2012 at 19:19, Jason A. Donenfeld ja...@zx2c4.com wrote:
Hey Everyone,
I did a detailed write-up on exploiting CVE-2012-0056 that some of
y'all might appreciate. Pretty fun bug to play with -- dup2ing all
over the place for the prize of getting to write
, the reason why I don't hard code 12 for the
length of the su error string is that it's different on different
distros.
On Mon, Jan 23, 2012 at 02:14, sd s...@fucksheep.org wrote:
2012/1/23 Jason A. Donenfeld ja...@zx2c4.com:
Server presently DoS'd, or dreamhost is tweaking again.
boring tl;dr
similar things you can do when running suid code that
will make it loose suidness, and also a variety of inspection
techniques.
On Mon, Jan 23, 2012 at 03:46, sd s...@fucksheep.org wrote:
2012/1/23 Jason A. Donenfeld ja...@zx2c4.com:
NICE! Well, I guess posting that blog post defeated the point
it still worked for all of 2.6 as i see linus has
commited it to 2.6
Mark
On Sun, Jan 22, 2012 at 6:19 PM, Jason A. Donenfeld ja...@zx2c4.com wrote:
Hey Everyone,
I did a detailed write-up on exploiting CVE-2012-0056 that some of
y'all might appreciate. Pretty fun bug to play with -- dup2ing all
(and probably many others). Perhaps distributions should run
Checksec (http://www.trapkit.de/tools/checksec.html) on their
binaries.
On Sun, Jan 22, 2012 at 6:25 PM, Jason A. Donenfeld ja...@zx2c4.com wrote:
Server presently DoS'd, or dreamhost is tweaking again.
Cache link:
http
Hello Full Disclosure Hysterics Friends,
I have now read through five dozen complaints about how Ubuntu
is fundamentally an unsecure operating system, filled with more holes
than Swiss cheese.
If somebody could direct me toward a local root exploit against a fully
up-to-date Ubuntu 11.04 or
you count if the GUI can't do it, then the user can't either! a
real security attempt), but it is a method that could be helpful in making
different sorts of things this mailing list seems to like. So here ya go.
-- Forwarded message --
From: Jason A. Donenfeld ja...@zx2c4.com
This is useful for scrubbing wtmp/utmp:
http://git.zx2c4.com/lastlog/tree/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
23 matches
Mail list logo