xorl %eax, %eax

Phrack #66

with 9 comments

Phrack is out.

It was kind of sad regarding the underground quotes.
Personally, I like mayhem’s comment for the French contributors. heh
Phrack Prophile on The PaX Team
Jesus! Pipacs on Phrack! I bet spender will be soooo sooo happy with this :P Admit it. the_uT’s one was more interesting.
The Objective-C Runtime: Understanding and Abusing
Once again nemo did it. He explores and exploits Objective C in Mac OS X. Also, his asl_* abuse was pretty neat :)
Developing a Trojaned Firmware for Juniper ScreenOS Platforms
This article by Graeme was great! It’s one of the very few articles dealing with backdoored image files in network devices. I really liked that!
Yet another free() exploitation technique
Man… I am flattered! A brilliant Greek from GRHack wrote one of the
best articles of this issue. Thank you hk!
Persistent BIOS Infection
Core Security shows us the way to BIOS infection. Even though this is not a new concept, they made some remarkable research in this article and it definitely deserves your time.
Exploiting UMA : FreeBSD kernel heap exploits
Hehe! The popular Greek coder argp and the well known researcher Karl Janmar from signedness wrote an innovative paper about FreeBSD kernel heap exploitation. This is not anything new but they did excellent work in documenting it in great detail. This is clearly the ultimate FreeBSD kernel heap exploitation article I am aware of.
Exploiting TCP and the Persist Timer Infiniteness
ithilgore and his crazy network stuff… I have to admit that when he told me about that design flaw I was unable to follow. This is an amazing article since it is theoretical, practical and innovative all in one :P Well done ithilgore! :)
The third article in this issue about heap exploitation was written by blackngel. This is another excellent work on heap exploitation which as the author states, its aim is to make practical examples of the classic Malloc Maleficarum. Something like what K-sPecial did this in .aware alpha release. They went far beyond this with this paper!
A Real SMM Rootkit
This is written by Filip Wecherowski who makes at last, a real SMM rootkit. There has been a lot of hype about SMM rootkits since Phrack #65 article and Blackhat 2008 presentation. This article goes extensively through the details of such rootkits.
Alphanumeric ARM shellcode
This is written by Yves Younan and Pieter Philippaerts. Forgive me for that but I don’t think this is compared to the rest of the articles of #66. It is still great resource for ARM internals and the undocumented alphanumeric shellcoding in RISC ARM processors. Nevertheless, shellcoding for exotic CPUs is not something really innovative. It is still an amazing article, this is just my opinion in comparison to the rest of the papers.
Power cell buffer overflow
This article written by BSDaemon talks about CELL exploitation. As I said earlier, even though I love reading/studying such subjects from my geeky side, I found them impractical from my security side. Unless you’re planning to have some PS3 botnet…Anyhow, excellent analysis and great enhancement of the already known exploitation techniques for CELL.
manual binary mangling with radare
A great new framework for reverse engineering written by pancake. I haven’t studied radare in detail yet but from this article, it seems beautiful.
Linux Kernel Heap Tampering Detection
If you’re interested in Linux kernel heap exploitation or detection of tampering, this is just a great resource. It is written by Larry H. and explains all of the memory allocators used in Linux kernel in detail. Then it compares their limitations to OpenBSD and NetBSD implementations as well as the recent safe unlinking of Windows. Really cool article. It even deals with subverting SELinux and AppArmor.
Developing Mac OSX kernel rootkits
Two Swedish guys, ghalen and wowie wrote about OS X rootkits. I don’t know much about OS X and I was surprised to see how easy it really is to code rootkits (in comparison to Linux). Thank you guys for this article :)
How close are they of hacking your brain?
This is a completely different article written by dahut. It deals with concepts such as injecting content in our brains and similar subjects which I’m not really keen with. Still a really interesting article.

To conclude, in my opinion Phrack #66 is excellent even though it has some sort of “heap exploitation mania” :P Every single article is great. Congratulations to everyone involved to achieve this. On its downside, it didn’t include any “art of exploitation” article which I really liked and there was no “international scenes” article but I am aware of the problems you had to find one. Thank you all for this release :)

P.S.: Semi-irrelevant reply:

<@nemo> ah come on
<@nemo> who is xorl
<@nemo> i know you’re here :(
<@nemo> haha
<@nemo> :P

Indeed… I was there :P

Written by xorl

June 11, 2009 at 10:59

Posted in fun, phrack

9 Responses

Subscribe to comments with RSS.

  1. it sure is!


    June 11, 2009 at 12:12

  2. If you do not give me 2 0-days, I will reveal who you really are :-)


    June 12, 2009 at 08:46

  3. @thanasisk: Assuming that this is a relevant comment, which it isn’t. Here is my reply.

    Sir, I don’t possess the secrets of vulnerability discovery and thus, that what you request. You may audit code and find your own bugs on the interwebs software applications by employing your hardcore programming and exploit development skills.

    Moving to the next subject of the xorl’s real identity. This could be answered by a song’s lyrics like this:

    I’m your dream, make you real
    I’m your eyes when you must steal
    I’m your pain when you cant feel
    Sad but true

    I’m your truth, telling lies
    I’m your reasoned alibis
    I’m inside open your eyes
    I’m you

    From the epic music group, Metallica.
    Or it could be answered from a movie (yes, I didn’t read the book) like this:

    I am Jack’s complete lack of surprise.
    I am Jack’s inflamed sense of rejection.
    I am Jack’s smirking revenge.
    I am Jack’s wasted life.

    And to end this pointless reply…

    WHOA! WHOA! WHOA! Ok, you are now firing a gun at your ‘imaginary friend’ near 400 gallons of nitroglycerine!



    June 12, 2009 at 11:27

  4. Yes, I am happy :)


    June 12, 2009 at 13:22

  5. so xorl is Robert Paulson it seems!


    June 12, 2009 at 13:32

  6. Actually there is no other paper or any other work on fbsd kernel heap exploitation ;)


    June 12, 2009 at 13:34

  7. @spender: approved ;p

    @thanasisk: damn it! I might also be James Hetfield :P

    @argp: Thank you for that article. It is really a great piece of work.


    June 12, 2009 at 14:39

  8. Hm..
    cat nemo | gawk -vORS=” ” ‘{print $3,$4;exit}’ && echo break your toys


    June 12, 2009 at 18:19

  9. Very well done to the phrack.org editors, another issue made with unparallel levels of unique disclosure. Even those of which have been in the wild were documented with grandeur and accuracy. It’s pretty impressive that people continue to strife to maintain information freely ‘lol 2600’ providing the general public something new, diverse and creative dialogue. Very well done, xorl for documenting (although rather shortly summarized) within hours of its released. I’d use this juncture to say that your continuous and regular posts on the latest vulnerabilities released costs short, hard to manage time and great effort to attempt repeatedly. Good form!


    June 14, 2009 at 00:44

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s