Skip to content

Instantly share code, notes, and snippets.

View timb-machine's full-sized avatar

Tim Brown timb-machine

View GitHub Profile
@timb-machine
timb-machine / unix-audit DSL prototype
Last active August 1, 2023 05:58
unix-audit DSL prototype
platformtags:
- "linux"
checks:
- type: "Informational"
checks:
- name: "Platform"
exec:
- command: "uname"
stderr: true
encode: ""
@timb-machine
timb-machine / Comparing and contrasting generations of RedMenshen AKA BPFDoor
Created June 9, 2023 21:39
Comparing and contrasting generations of RedMenshen AKA BPFDoor
Recent:
$ ../../../src/tools/triage-binary.sh fa0defdabd9fd43fe2ef1ec33574ea1af1290bd3d763fdb2bed443f2bd996d73.elf.x86_64
[Execution, Persistence, Discovery: attack:T1053.006:Systemd Timers, attack:T1543.002:Systemd Service, attack:T1007:System Service Discovery]: /usr/lib/systemd/systemd-journald (1)
[Defense Evasion: attack:T1070.004:File Deletion]: ldterm (1)
[Defense Evasion: attack:T1070.004:File Deletion]: unlink@@GLIBC_2.2.5 (1)
[Defense Evasion: uses:Auditd, attack:T1562.001:Disable or Modify Tools]: /sbin/auditd -n (1)
[Defense Evasion: uses:ProcessTreeSpoofing]: argv0 (1)
[Defense Evasion: uses:ProcessTreeSpoofing]: prctl@@GLIBC_2.2.5 (1)
[Defense Evasion: uses:ProcessTreeSpoofingForking]: fork@@GLIBC_2.2.5 (1)
@timb-machine
timb-machine / List of CVEs for vulnerability disclosures
Last active April 17, 2023 23:55
List of CVEs for vulnerability disclosures
NDSA20020719.txt.asc, CVE-2002-2331
NDSA20021112.txt.asc, CVE-2002-2399
NDSA20050719.txt.asc
NDSA20060705.txt.asc, CVE-2006-3848
NDSA20070206.txt.asc, CVE-2007-0838
NDSA20070412.txt.asc
NDSA20070524.txt.asc, CVE-2007-3190, CVE-2007-3191, CVE-2007-3189
NDSA20071016.txt.asc, CVE-2007-5691, CVE-2007-5492, CVE-2007-5493, CVE-2007-5694, CVE-2007-5695
NDSA20071119.txt.asc, CVE-2007-6100
NDSA20080215.txt.asc, CVE-2007-4074
@timb-machine
timb-machine / A brief history of treasury bugs
Created February 13, 2023 21:25
A brief history of treasury bugs
$ ./get-attack-patterns.py treasury
I: searching for treasury%20
10
CVE-2017-3183
CVE-2019-0280
CVE-2019-0383
CVE-2019-0384
CVE-2020-6204
CVE-2019-20150
CVE-2019-20151
@timb-machine
timb-machine / CVE-2022-36768 for shits and giggles... (WIP)
Last active January 4, 2024 22:42
CVE-2022-36768 for shits and giggles... (WIP)
We start by unpacking the patch. On this occasion it's shipped as an RTE file (an AIX specific backup format), so we need to unpack it on our AIX VM like so:
$ restore -T -f ../invscout.rte
/lpp_name
/usr
/usr/lpp
/usr/lpp/invscout.rte
/usr/lpp/invscout.rte/liblpp.a
/usr/lpp/invscout.rte/inst_root
/usr/lpp/invscout.rte/inst_root/liblpp.a
@timb-machine
timb-machine / CVE-2022-36768 for shits and giggles...
Last active January 4, 2024 22:44
CVE-2022-36768 for shits and giggles...
We start by unpacking the patch. On this occasion it's shipped as an RTE file (an AIX specific backup format), so we need to unpack it on our AIX VM like so:
$ restore -T -f ../invscout.rte
/lpp_name
/usr
/usr/lpp
/usr/lpp/invscout.rte
/usr/lpp/invscout.rte/liblpp.a
/usr/lpp/invscout.rte/inst_root
/usr/lpp/invscout.rte/inst_root/liblpp.a
@timb-machine
timb-machine / Hunting for AIX getenv() victims
Created December 16, 2022 23:30
Hunting for AIX getenv() victims
#!/bin/sh
find / \( -perm -u+s -o -perm -g+s \) 2>/dev/null | while read line
do
echo +++ $line
dump -X 32_64 -T $line 2>/dev/null | grep getenv
done
@timb-machine
timb-machine / Abusing sudo vim to create setUIDs you control
Last active December 13, 2022 15:22
Abusing sudo vim to create setUIDs you control
$ sudo chown root foo
Password:
$ sudo chmod u+rwxs foo
$ ls -la foo
-rwsr--r-- 1 root staff 0 13 Dec 15:19 foo
$ sudo vi foo
$ ls -la foo
-rwsr--r-- 1 root staff 1711088 13 Dec 15:19 foo
@timb-machine
timb-machine / Analysis of ATT&CK v12 bugs
Created December 4, 2022 07:47
Analysis of ATT&CK v12 bugs
Top 10 bugs:
CVE-2014-7169,8
CVE-2016-6662,8
CVE-2012-0158,9
cve-2017-8759,10
CVE-2017-8625,11
CVE-2017-8759,13
cve-2021-32648,15
CVE-2015-3113,21
@timb-machine
timb-machine / ATT&CK v11 vs v12 for Linux
Created October 25, 2022 19:29
ATT&CK v11 vs v12 for Linux
$ jq '.objects[] | select(.type | contains("attack-pattern")) | select(.x_mitre_platforms[] | contains("Linux")) | .name' enterprise-attack-11.0.json | sort | uniq > 11.out
$ jq '.objects[] | select(.type | contains("attack-pattern")) | select(.x_mitre_platforms[] | contains("Linux")) | .name' enterprise-attack-12.0.json | sort | uniq > 12.out
$ diff 11.out 12.out
33a34,36
> "Clear Mailbox Data"
> "Clear Network Connection History and Configurations"
> "Clear Persistence"
93a97
> "Embedded Payloads"
145c149