received signal SIGSEGV (lmao)

  • orbi hunting 0x1: crashes in soap-api

    The second part in this series going over my time hunting for bugs on the netgear orbi. This post is a walkthrough of a long journey that began with the discovery of a buffer overflow which I initially though was unreachable due to a separate null pointer dereference and eventually finding a way to get past that null deref — only to ultimately be thwarted by a stack canary that couldn’t be easily bypassed (at least, not by me). So, free 0day for anyone that can exploit it? Hit me up on twitter to let me know how you did it.

  • orbi hunting 0x0: introduction, uart access, recon

    I’ve been hunting for bugs on the Netgear Orbi (RBR20) for about a year and half now. This is the first in a series of posts where I’ll be publishing my notes and findings from this research. This post provides an high-level overview of the system and notes on getting serial console access via UART.

  • fuzzing udhcpd: a hacky approach

    I wanted to do some fuzzing against udhcpd recently but was feeling too lazy to write a harness from scratch, so instead modified the existing udhcp server code to turn it into a harness using AFL’s LLVM persistent mode and then modified the udhcp client (udhcpc) to generate a corpus of testcases and write them out to files. Here’s what I was able to put together over a weekend.

  • osx naughtiness: bypassing santa & hiding from av

    I recently audited Santa, a binary authorization system for macOS, and discovered a technique for bypassing Santa’s controls using in-memory execution + userland-exec. I combine this with Python’s ctypes module and NamedTemporaryFile objects to create a proof-of-concept showing how this can be used to execute native code in a ‘fileless’ manner and bypass both Santa and at least one popular enterprise AV solution on macOS.

  • afl 0x0: my fuzzing environments and workflow

    This will be the first in a series of posts about working with afl and documenting new things I learn about using it. I thought it would be good to start this off by describing my current fuzzing workflow and how I set everything up. This took me a little while to settle into so I’m hoping it’ll be useful to others just getting started.

  • fuzzing binutils, part 1.2: reversing a few lines from srec_scan()

    While going over the assembly for the buggy function I discussed in my previous post, I came across a chunk of instructions that I was having a hard time mapping back to the source code. Suspecting compiler optimizations had something to do with it, I decided to go through the assembly line-by-line, documenting each operation along the way and trying to map it all back to the source, in an attempt to understand what the compiler had done.

  • fuzzing binutils, part 1: out-of-bounds read in libbfd

    A few weeks ago, I finally got around to trying out American Fuzzy Lop for this first time and chose to fuzz a couple of the binutils tools. While fuzzing objdump AFL found a few interesting crashes the led me to discover a bug in the version of libbfd (Binary File Descriptor) included with the version of binutils I tested. This post provides details on the bug and walks through the process of finding the root cause.

  • cve-2017-17065: d-link dir-605l hnap basic authentication buffer overflow discovery+analysis

    This post provides details on the discovery and exploitation of CVE-2017-17065, a vulnerability I found in certain D-Link routers.

  • tiny-web-server: buffer overflow discovery + poc ret2libc exploit

    While poking at an HTTP server I had come across I eventually discovered a buffer overflow in the code responsible for processing the URI part of an HTTP request. This post walks through the process of finding the root-cause of the bug and write a PoC exploit using return-to-libc to call exit() cleanly across all running threads and kill the server.

  • collecting bro logs in elasticsearch with logstash+filebeat

    I couldn’t find any good guides online about how to collect Bro logs with Logstash without having to run Logstash on the same server, so wrote my own. This solution uses Filebeat on the Bro server to forward the logs to a remote Logstash server, which then handles processing of that data using filters before forwarding the processed data to Elasticsearch.

  • cve-2017-9675: d-link dir-605l denial of service discovery+analysis

    This post provides details on the discovery and exploitation of CVE-2017-9675, a vulnerability I found in certain D-Link routers.

  • building a raspberry pi network tap/bridge

    While working on berry-sense and learning about network traffic analysis recently, I had the need for a dedicated device to use as an Ethernet bridge/tap for capturing traffic. This would give me a chance to test the Raspberry Pi’s performance while performing traffic captures, as well as produce a usable device for performing simple captures.

  • building a yaf+silk testing vm

    A walkthrough of setting up YaF+SiLK network flow analysis tools on an Ubuntu 16.04 virtual machine.

subscribe via RSS