The stosb detection method for qemu lives AGAIN, only my version checks for a segfault because they patched this, but they patched it DIRTY xD

-
This is technically a new vulnerability found by myself that checks for BOTH mine and the original vulnerability that would fail to write over the memory location directly below what would be a jmp to say we were in fact in the matrix. 



// ------------------------------------------------------------------------------
// THE BEER-WARE LICENSE (Revision 43):
// <aaronryool@gmail.com> wrote this file. As long as you retain this notice you
// can do whatever you want with this stuff. If we meet some day, and you think
// this stuff is worth it, you can buy me a beer in return
// ------------------------------------------------------------------------------

#include <unistd.h>
#include <stdlib.h>
#include <signal.h>
#include <sys/mman.h>

int main(unsigned a);

__sighandler_t handler(int sig)  // our signal handler function
{
 switch(sig)
 {
  case SIGSEGV:  // when segfaults happen
   main(0xC0DE); // assume they have to be because of the bug and tell us we are in the matrix
  break;
 }
}
unsigned qemu(void)
{
 void *page =(void *) ((unsigned long) (&&assembly) &~(getpagesize() - 1)); // get the page the assembly is on
 mprotect(page, getpagesize(), PROT_READ | PROT_WRITE | PROT_EXEC); // mark that shit as RWE for self modification
assembly: asm volatile(
".intel_syntax noprefix\n"
 "mov eax, 0x90\n" // move a nop into eax for copying
 "mov ecx, 9\n"  // move 9 into ecx for the number of bytes the byte code is from the offset to the jmp
 "mov edi, offset $\n" // mov the address of the start of this instruction into edi for rep
 "rep stosb\n"  // finally, repeat that byte over the memory region
 "jmp _qemu\n"  // this should be overwritten, if it isnt, some naughty child is running an old version of qemu lol, and they are in the matrix
 "jecxz noqemu\n"  // if ecx is 0, we are not in the matrix by definition lol, if it is not 0, then
"_qemu:\n"   // this is the matrix
 "mov eax, 1\n"  // follow cdecl calling convention and return 1 in eax
 "ret\n"
"noqemu:\n"   // this is not the matrix
 "xor eax, eax\n"); // return 0 according to cdecl calling convention
}


int main(unsigned a)
{
 if(a==0xC0DE) goto matrix; // if this shit is from a segfault, we are matrix status
 signal(SIGSEGV, &handler); // register the segfault signal to be caught by our handler
 
 if(qemu()) goto matrix;  // if this is an old version of qemu, and the standard vulnerability is present, MATRIX (upgrade yo shit foo)
 puts("Isn't real life boring?"); // if we get here, this is boring reality :( no cool ninja moves today bro lol
 exit(0);

matrix:
 puts("The Matrix haz you Neo..."); // this is where you would put ninja moves, jack in or jack off, your choice ;)
 exit(1);
}

Comments

Post a Comment

Popular posts from this blog

What is a canary, how does it work, and what does that mean if I want to write a modern exploit.

-
Image
Canaries were  once regularly used  in  coal mining as an early warning system . Toxic gases such as carbon monoxide or asphyxiant gases such as methane  in the mine  would kill the bird before affecting the  miners . Signs of distress from the bird indicated  to  the  miners  that conditions  were  unsafe . Let's start with some history Oh the good old days. I remember a time when hackthissite.org , and  Smash The Stack  were fresh, and BOF's were often as easy as shoving your shellcode where the buffer was supposed to be and overwriting the return pointer with where that buffer was... Then they had to go and ruin the fun by widely adopting ASLR (Address Space Layout Randomization), DEP (Data execution protection), and  canaries  (stack cookies). Now in these dark times not only do we have to ROP with return to libc, we have to chain that with a memory leak vulnerability if we have any hope of  smashing the stack. While I plan to do posts soon covering all of these exciti
Read more

Better visualization of data formats using assembly POC's to better implement them in C

-
Image
Are you tired of staring at hex dumps, white papers and manual pages? Want to feel like you truly know how a data type like a file format, or a disk partition LOOKS like. Well I can't help you with the manual pages and white papers, ( https://staff.washington.edu/dittrich/misc/fatgen103.pdf , http://www.eit.lth.se/fileadmin/eit/courses/eitn50/Projekt1/FAT12Description.pdf ) but here is a great example of implementing a fat12 floppy image in assembly. ;//////////////////////////////////////////////////////////////////////////////// ;// THE SCOTCH-WARE LICENSE (Revision 0): ;// <aaronryool@gmail.com> wrote this file. As long as you retain this notice you ;// can do whatever you want with this stuff. If we meet some day, and you think ;// this stuff is worth it, you can buy me a shot of scotch in return ;//////////////////////////////////////////////////////////////////////////////// ; This assembles to a floppy disk image [bits 16] [org 0x7C00] ;;;;;;;;;;;;;;;;;
Read more

Putting Linux on your Android device using debootstrap and chroot

-
Image
Ok, so first thing first. You will need a few things done BEFORE you attempt this tutorial: A rooted android device of sorts with debugging enabled and busybox installed An sdcard to store the debian image on A Linux machine (or live cd) to prepare the debian system image ADB for remounting the system partition and pushing startup scripts A terminal application installed on your droid and about an hour of free time Lets get right into it open up a terminal, and make a directory that you will be storing all of the files and things we create for easy cleanup later. I called mine linux_on_android. change to that directory, all instructions from here on out will be relative to whatever directory you are currently residing in after this step. Next, we create an empty raw disk image, make a directory to mount it under, create a filesystem on the image, and mount it under our new mount point. Now lets change into our mnt directory, install debootstrap, and use it to install a base system into
Read more