[LIVE Nov 25, 2022 11AM PT Off By One Security : Introduction to Linux Heap Exploitation](https://www.youtube.com/watch?v=dMDoC9DlVzA)
π£soupcreamychicken
π@malwr
π£soupcreamychicken
π@malwr
YouTube
Introduction to Linux Heap Exploitation
In this stream I will cover remedial heap exploitation on Linux. This technique only works on older heap implementations lacking the Safe Unlink protection. Though dated, it serves as a great way to get started with exploring the heap and how one approachesβ¦
Containers: Rootful, Rootless, Privileged and Super Privileged
π£fcano1
First off: Who the hell makes text highlighting for copy/paste the same colors as the text itself? That's seriously user-hostile and qualifies the site designer for an Asshat Of The Year award. Also, fix your damn CSP configuration, you're shitting out a bunch of blocked requests.
Anyways -
> A rootless container is a container that could be run without root privileges in the host. Docker runs containers launching them with the Docker daemon, which is run as root. Podman does not use any daemon and it does not need root to run containers.
This is wrong. Going by the docker rootless documentation directly, the docker daemon being run as root must be stopped as part of the rootlesskit installation; a systemd user service is started in its stead which is run as a user. As such, the daemon is no longer running as root, it's by default a unix socket and ends up getting placed in the user's XDGRUNTIMEDIR (which often means
This leads to interesting adventures with loginctl trying to keep systemd user units running without an active pty/tty, but is still manageable.
Also of note, cgroups v1 is non-viable with rootless docker; you have to get cgroups v2 configured (which requires some grub-fu) in order to get resource limitations to be effective for rootless docker. Might not be the case for podman, but definitely the case for docker.
Having been down this path recently trying to automate the deployment of rootless docker with Ansible, it's certainly an annoying process to automate.
π€Katana__
π@malwr
π£fcano1
First off: Who the hell makes text highlighting for copy/paste the same colors as the text itself? That's seriously user-hostile and qualifies the site designer for an Asshat Of The Year award. Also, fix your damn CSP configuration, you're shitting out a bunch of blocked requests.
Anyways -
> A rootless container is a container that could be run without root privileges in the host. Docker runs containers launching them with the Docker daemon, which is run as root. Podman does not use any daemon and it does not need root to run containers.
This is wrong. Going by the docker rootless documentation directly, the docker daemon being run as root must be stopped as part of the rootlesskit installation; a systemd user service is started in its stead which is run as a user. As such, the daemon is no longer running as root, it's by default a unix socket and ends up getting placed in the user's XDGRUNTIMEDIR (which often means
/run/user/$UID/docker.sock, my memory is fuzzy here).This leads to interesting adventures with loginctl trying to keep systemd user units running without an active pty/tty, but is still manageable.
Also of note, cgroups v1 is non-viable with rootless docker; you have to get cgroups v2 configured (which requires some grub-fu) in order to get resource limitations to be effective for rootless docker. Might not be the case for podman, but definitely the case for docker.
Having been down this path recently trying to automate the deployment of rootless docker with Ansible, it's certainly an annoying process to automate.
π€Katana__
π@malwr
π1
Your Guide to Cyberspace: Command Leads Armyβs Mission in 5th Warfighting Domain - from the US's December 2022 issue of Army Magazine
π£digicat
π@malwr
π£digicat
π@malwr
AUSA
Your Guide to Cyberspace: Command Leads Armyβs Mission in 5th Warfighting Domain
Nothing has transformed modern life like the microprocessor, and nothing has significantly shaped the modern global economy as the rise
2023 China Security Report from the Japanese National Institute for Defence Studies - "concern about acts which combine cyberattacks and information warfare. According to Taiwanβs Team T5, they are seeing the emergence of an βAPT + InfoOpβ model combining information operations with hack and leak"
π£digicat
π@malwr
π£digicat
π@malwr
Squalr Memory Editor - New Update for First Time in Years π
π£Aecial
Good to see you back. I've been using it for couple years already it's really good and thanks for all the effort you put in it.
π€mahmozilla
Since Cheat Engine comes bundled with adware (unless you pay $$ to the creator's Patreon), there is increased demand for a good and free alternative.
I took a very break from this project to focus on building out an educational game to teach x86/x64 assembly called Squally, but I've been itching to get back to making this project better.
It's better than CE in many ways, but still has a ways to go. I still need to fix bugs, improve the UX, and finish a couple features.
π€Aecial
π@malwr
π£Aecial
Good to see you back. I've been using it for couple years already it's really good and thanks for all the effort you put in it.
π€mahmozilla
Since Cheat Engine comes bundled with adware (unless you pay $$ to the creator's Patreon), there is increased demand for a good and free alternative.
I took a very break from this project to focus on building out an educational game to teach x86/x64 assembly called Squally, but I've been itching to get back to making this project better.
It's better than CE in many ways, but still has a ways to go. I still need to fix bugs, improve the UX, and finish a couple features.
π€Aecial
π@malwr
GitHub
Releases Β· Squalr/Squalr
Squalr Memory Editor - Game Hacking Tool Written in C# - Squalr/Squalr
π1
Threat Analysis: Active C2 Discovery Using Protocol Emulation Part4 (Dacls, aka MATA)
π£digicat
π@malwr
π£digicat
π@malwr
VMware Security Blog
Threat Analysis: Active C2 Discovery Using Protocol Emulation Part4 (Dacls, aka MATA)
Dacls, aka MATA, is a cross-platform RAT used by the DPRK-linked Lazarus Group and the first artifacts were observed around April 2018. The VMware Threat Analysis Unit (TAU) first discovered the Dacls C2 servers on the Internet by protocol emulation in Augustβ¦
π1
Learn about insider risk management forensic evidence (preview) - Microsoft Purview (compliance)
π£digicat
π@malwr
π£digicat
π@malwr
Docs
Learn about insider risk management forensic evidence
Learn about insider risk management forensic evidence in Microsoft Purview. Forensic evidence is an investigative tool for viewing captured user activity to help determine whether the user's actions pose a risk and may lead to a security incident.
cent: Community edition nuclei templates, a simple tool that allows you to organize all the Nuclei templates offered by the community in one place
π£digicat
π@malwr
π£digicat
π@malwr
GitHub
GitHub - xm1k3/cent: Community edition nuclei templates, a simple tool that allows you to organize all the Nuclei templates offeredβ¦
Community edition nuclei templates, a simple tool that allows you to organize all the Nuclei templates offered by the community in one place - xm1k3/cent
π1
DFIRArtifactMuseum: The goal of this repo is to archive artifacts from all versions of various OS's and categorizing them by type. This will help with artifact validation processes as well as increase access to artifacts that may no longer be readily available anymore.
π£digicat
π@malwr
π£digicat
π@malwr
GitHub
GitHub - AndrewRathbun/DFIRArtifactMuseum: The goal of this repo is to archive artifacts from all versions of various OS's andβ¦
The goal of this repo is to archive artifacts from all versions of various OS's and categorizing them by type. This will help with artifact validation processes as well as increase access t...
NetWalker ransomware samples/source
Does anyone know when I could get my hands on a sample of netwalker ransomware. Pardon my ignorance but I do not know where to find samples online.
EDIT: since someone asked, I am doing a writeup on fileless powershell malware and I saw someone mention netwalker as a pretty notorious one. I would prefer wild samples so I can deobfuscate them myself as it will give more content but just the source code is cool as well
π£Aleks_Leeks
Hey you can find a ton of samples here - https://bazaar.abuse.ch/browse.php?search=tag%3ANetwalker
*No account setup required
π€dkayem
π@malwr
Does anyone know when I could get my hands on a sample of netwalker ransomware. Pardon my ignorance but I do not know where to find samples online.
EDIT: since someone asked, I am doing a writeup on fileless powershell malware and I saw someone mention netwalker as a pretty notorious one. I would prefer wild samples so I can deobfuscate them myself as it will give more content but just the source code is cool as well
π£Aleks_Leeks
Hey you can find a ton of samples here - https://bazaar.abuse.ch/browse.php?search=tag%3ANetwalker
*No account setup required
π€dkayem
π@malwr
reddit
NetWalker ransomware samples/source
Does anyone know when I could get my hands on a sample of netwalker ransomware. Pardon my ignorance but I do not know where to find samples online.
π2
Import Memory Map/structs with the version control tool
Hi,
i just found out about the version tracking tool and used it to save my self some time on a new riscv file im checking.
In the source file i already made some structs and mapped them to some memory i mapped with the cips datasheet. As a firmware update will not change the chip - i would love to take that work with me to the new version too. But neather for the structs i made nor for the memory map i can find the button that lets me inport it.
Am I just not finding one or is there simply none? (would be weird for the Memory Map, as there is an export to CSV which works fine - but no way to import it.)
Any tips would be appreciated!
π£Reni4n
In your first program, in the DataTypeManager window, in the upper right you can select an option to create a Program Archive. You can then share DataTypes to the archive, either by drag/drop into the archive or cut/paste, not a readily discoverable mechanism..
Then, in your new binary, add the archive in the DataTypeManager there and all the types in the archive can be used for typing variables, arguments, etc. (You can also drag/drop to the program, if you desire).
Subsequent changes in either program can be saved to the archive, then in the other program DataTypes can be updated from the archive.
Also, the archive can be added to source control and shared with other developers if you use the ghidra server.
π€marcushall
I thought version tracking would move struct definitions with your markup to the new program version, but I could be misremembering. If you have custom set up entries in the Memory Map regions you should recreate them first before doing the version tracking tool for the best results.
The Data Type Manager will also let you export your custom defined structure manually if all else fails though. I donβt know of a way that migrates memory map settings automatically, however. I guess you could write a script.
π€wilhelms21
π@malwr
Hi,
i just found out about the version tracking tool and used it to save my self some time on a new riscv file im checking.
In the source file i already made some structs and mapped them to some memory i mapped with the cips datasheet. As a firmware update will not change the chip - i would love to take that work with me to the new version too. But neather for the structs i made nor for the memory map i can find the button that lets me inport it.
Am I just not finding one or is there simply none? (would be weird for the Memory Map, as there is an export to CSV which works fine - but no way to import it.)
Any tips would be appreciated!
π£Reni4n
In your first program, in the DataTypeManager window, in the upper right you can select an option to create a Program Archive. You can then share DataTypes to the archive, either by drag/drop into the archive or cut/paste, not a readily discoverable mechanism..
Then, in your new binary, add the archive in the DataTypeManager there and all the types in the archive can be used for typing variables, arguments, etc. (You can also drag/drop to the program, if you desire).
Subsequent changes in either program can be saved to the archive, then in the other program DataTypes can be updated from the archive.
Also, the archive can be added to source control and shared with other developers if you use the ghidra server.
π€marcushall
I thought version tracking would move struct definitions with your markup to the new program version, but I could be misremembering. If you have custom set up entries in the Memory Map regions you should recreate them first before doing the version tracking tool for the best results.
The Data Type Manager will also let you export your custom defined structure manually if all else fails though. I donβt know of a way that migrates memory map settings automatically, however. I guess you could write a script.
π€wilhelms21
π@malwr
reddit
Import Memory Map/structs with the version control tool
Hi, i just found out about the version tracking tool and used it to save my self some time on a new riscv file im checking. In the source file...
Reverse engineering homelab, GDB and multiple architectures?
I recently competed in a CTF where I spent a large amount of time trying to get GDB to reverse a binary on both my Mac and Raspberry PI. At one point I installed the 'multiarch' version of GDB on the Raspberry Pi but was still not very successful. How would I create a homelab that could support as many architectures as possible (so I can be ready to RE any given binary or executable)? What are the tradeoffs of building a homelab with multiple architectures vs multi-architecture support in software like GDB?
π£UnemployedAWSGuy
qemu will let you run a variety of architectures and it has direct hooks for gdb. Run it on Linux directly and you can get acceleration from kvm.
π€8309312feaa9aa4f4628
Snag a remnux image, I usually install pwndbg as well to enhance gdb. Thatβs the easy way.
π€simpaholic
Have you seen Attify OS?
https://blog.attify.com/getting-started-with-firmware-emulation/
I realise now this doesn't specifically answer your question, but I'll leave it here as it's interesting for emulating different architectures
π€bobalob_wtf
π@malwr
I recently competed in a CTF where I spent a large amount of time trying to get GDB to reverse a binary on both my Mac and Raspberry PI. At one point I installed the 'multiarch' version of GDB on the Raspberry Pi but was still not very successful. How would I create a homelab that could support as many architectures as possible (so I can be ready to RE any given binary or executable)? What are the tradeoffs of building a homelab with multiple architectures vs multi-architecture support in software like GDB?
π£UnemployedAWSGuy
qemu will let you run a variety of architectures and it has direct hooks for gdb. Run it on Linux directly and you can get acceleration from kvm.
π€8309312feaa9aa4f4628
Snag a remnux image, I usually install pwndbg as well to enhance gdb. Thatβs the easy way.
π€simpaholic
Have you seen Attify OS?
https://blog.attify.com/getting-started-with-firmware-emulation/
I realise now this doesn't specifically answer your question, but I'll leave it here as it's interesting for emulating different architectures
π€bobalob_wtf
π@malwr
Reddit
From the AskNetsec community on Reddit
Explore this post and more from the AskNetsec community