Looking for something fun to do in 2023? Why not learn how to hack mainframes ?
This container was built for our DEFCON 30 workshop. It will walk you through three challenging buffer overflows on a real mainframe OS. The first challenge is a simple C program buffer overflow, the second a buffer overflow and privesc and finally remote code execution over FTP.
Qualys does it again! It’s so rewarding when all the pieces of an #exploit come to fit together nicely.
Race condition in snap-confine's must_mkdir_and_open_with_perms() (CVE-2022-3328)
This website was very useful to find exactly when the manifest changed, definitely worth a visit if you do any Microsoft vulnerability research and need to check system binary versions and changes. Thanks @raptor for pointing me towards this earlier today & @Rairii for suggestions - https://winbindex.m417z.com/
The manifest of this binary was adjusted to run asInvoker so the autoelevate attribute is no longer honored making it useless for UAC, on systems that have the legacy manifest it could already be trivially leveraged via mscfile shell open command registry. I leveraged OneDrive to sideload the DLL so it should only impact desktops, I do not think the server versions are impacted unless they ship with OneDrive. I'll check on 2012 but I doubt it will be exploitable to bypass UAC notification.
DLL side-loading vulnerability in Microsoft signed autoelevate CompMgmtLauncher.exe - unfortunately the manifest on this file changed in Windows 10 1703 so it can no longer be used to bypass UAC. The side loading doesn't trigger in 1507-1607, this maybe exploitable in some situations but is being discarded as a dead end. There is one more of these that we've found but have been unable to exploit. This one is only useful to sideload malware in a signed executable and not for UAC.
@Rairii I don't even know how I forgot about it, I was just looking to track a change to a binary over a few versions. You will see why when I drop the thing later.
Is there a website that tracks changes to specific windows files and provides the patch level that the change occurred in? I am trying to locate when a specific component was changed under the Windows %SystemRoot% - trial and error says "sometime between 8 / 10" but I would like to know when something was patched.
As a middle aged #unix #hacker I really enjoyed reading @timb_machine's #oldschool whitepaper titled "Breaking the links: Exploiting the linker". It contains some fun tidbits of almost-forgotten lore.
TL;DR: "The discussion relating to insecure library loading on the Microsoft Windows platform provoked a significant amount of debate as to whether GNU/Linux and UNIX variants could be vulnerable to similar attacks. Whilst the general consensus of the Slashdot herd appeared to be that this was just another example of Microsoft doing things wrong, the author felt this was unfair and responded with a blog post that sought to highlight an example of where POSIX style linkers get things wrong. Based on the feedback received to that post, the author decided to investigate the issue a little further. This paper is an amalgamation of what was learnt."
@jernej__s is obviously still in use but the actual root cause of the problem is fixed through a manifest file change. I'll probably share it as it has no commercial value to us. My material is always working on the latest versions, Win11 and 2022. I love writing exploits for all versions but realistically few care about my NT4-2003 0days as they are just academic exercises and for sport. Markets for this stuff only care for the latest and greatest of any platform.
The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!