blasty
4,450 posts
blasty
@bl4sty
irresponsible disclosure aficionado
- the xz sshd backdoor rabbithole goes quite a bit deeper. I was just able to trigger some harder to reach functionality of the backdoor. there's still more to explore.. 1/n
- Replying to @bl4styauth bypass confirmed! > INFO:paramiko.transport:Authentication (password) successful! mm_keyallowed_backdoor cmd 1 allows to override the response for mm_answer_authpassword with a custom one. if you set it to { u32(9), u8(13), u32(1), u32(0) } you can login with any pass ๐ค
- xz bd engineer 1: bro, we need a way to probe the address space to make sure we never SEGV sshd xz bd engineer 2: we'll just do a pselect syscall with empty fd sets, a timeout of 1 nanosecond and the addr we want to probe is passed as the sigmask pointer, EFAULT means unmapped
- Decided to publish the Lexmark printer exploit + writeup + tools instead of sell it for peanuts. 0day at the time of writing: github.com/blasty/lexmark -- enjoy!
- nothing to see here, just properly documenting the fixed defects in the backdoor code ๐
- Hacked up a quick Dirty Pipe PoC that spawns a shell by hijacking (and restoring) the contents of a setuid binary. haxx.in/files/dirtypipโฆ
- Replying to @bl4sty.. since this tweet is ballin' slightly outta control: 1) image was stolen from @[email protected] on the fediverse, not my neighbourhood (SF) 2) all the printers I currently own will only display this quirky animation: x.com/thezdi/status/โฆ -- who do I contact??While @bl4sty only scored a COLLISION (non-unique bug) - Peter definitely gets a boatload of STYLE POINTS for this hack on a Canon printer @ #P2OToronto #Pwn2Own
00:00 - Replying to @bl4styyou gotta appreciate the way they shipped the backdoored object file. added some "test" data to the source tree that gets unxz'd and (dd) carved in a specific way, that is fed into a deobfuscator written in.. awk script and the result gets unxz'd again
- Replying to @bl4stywhoever designed this stuff had to take a deep dive into openSSH(d) internals (and so did I for the past couple of days, oof) .. hats off, once again :)
- Here we can see @AnthropicAI's claude (Sonnet 3.7 model) talking to IDA pro to reverse engineer a CTF task I made for @PotluckCTF, it does pretty well! It manages to get a grasp of the entire custom VM instruction set, file format, syscall interface etc.๐ค The MCP server is
00:00 - haxx.in/files/blasty-vโฆ enjoy, my fellow scriptkiddies
