Tweets
- Tweets, current page.
- Tweets & replies
- Media
You blocked @Digital_Cold
Are you sure you want to view these Tweets? Viewing Tweets won't unblock @Digital_Cold
-
Pinned Tweet
A writeup for HITCON's Super Hexagon challenge (part1). A detailed look into AArch64 custom kernel exploitation.https://hernan.de/blog/2018/10/30/super-hexagon-a-journey-from-el0-to-s-el3/ …
Thanks. Twitter will use this to make your timeline better. UndoUndo -
Another stat to add: I estimate AT LEAST 4.4 million lines of code (see repo for the calculation). Absolutely insane!
Show this threadThanks. Twitter will use this to make your timeline better. UndoUndo -
Check out how my CTF team, Kernel Sanders and I approached CSAW's embedded security competition using angr and how we leveraged a buffer overflow to print arbitrary messages to the serial port using RFID shellcodehttps://github.com/ufsit/csawesc19
Thanks. Twitter will use this to make your timeline better. UndoUndo -
Looks like a bug, and almost a vulnerability, but not quite. Maybe some better pwners can take this to an exploit?
Show this threadThanks. Twitter will use this to make your timeline better. UndoUndo -
This is the allowed check that is passed to the lack of error handling on fopen: https://github.com/svagner/vixie-cron/blob/13d13f0b38d73e7a415caa77b5821be92dd16f70/misc.c#L462 … And this is as far as the program gets with the new ulimit: https://github.com/svagner/vixie-cron/blob/13d13f0b38d73e7a415caa77b5821be92dd16f70/crontab.c#L845 …
Show this threadThanks. Twitter will use this to make your timeline better. UndoUndo -
Normally it would say this: $ crontab newtab You (grant) are not allowed to use this program (crontab) See crontab(1) for more information
Show this threadThanks. Twitter will use this to make your timeline better. UndoUndo -
In vixie-cron, SUID crontab prevents crontab editing if /etc/cron.allow is empty. If you force the ulimit for open files to be 4, auth check is bypassed but you hit another error lower down :( $ bash -c 'ulimit -n 4; crontab newtab' /var/spool/cron/: mkstemp: Too many open files
Show this threadThanks. Twitter will use this to make your timeline better. UndoUndo -
Emulation is not a crime.https://twitter.com/CorelliumHQ/status/1195021066139242497 …
Thanks. Twitter will use this to make your timeline better. UndoUndo -
Grant Hernandez Retweeted
Success! The
@fluoroacetate duo got the#Samsung Galaxy S10 to connect to their rogue base station and then pushed a file to the phone. Third year in a row. Off to the disclosure room to get all the details.pic.twitter.com/y5fpJcf3t9
Thanks. Twitter will use this to make your timeline better. UndoUndo -
How complicated is cellular baseband firmware? At least this complicated: over 150K debugging messages across 932 directories and 2,775 files! Rebuilding the source code skeleton from Samsung S10's Shannon S5000 baseband debugging messages.https://github.com/grant-h/shannon_s5000 …
Show this threadThanks. Twitter will use this to make your timeline better. UndoUndo -
Grant Hernandez Retweeted
Gathered some of my proof-of-concepts and analysis notes on zero day vulnerabilities that I discovered or researched in the past few years, on my github: https://github.com/badd1e/Disclosures …. Enjoy
Show this threadThanks. Twitter will use this to make your timeline better. UndoUndo -
That patch set did a major refactor of binder from a single global lock to incorporate more fine-grained locking (performance reasons). It's possible that binder was free from most cross-thread races before this and the epoll race window was missed during the refactor
Show this threadThanks. Twitter will use this to make your timeline better. UndoUndo -
I wonder how long CVE-2019-2215 has been exploitable. Trying to read through the kernel sources to figure out if there was a specific date. I notice that earlier kernels called `binder_free_thread` instead of `binder_thread_release`. https://lore.kernel.org/patchwork/patch/805046/ …
Show this threadThanks. Twitter will use this to make your timeline better. UndoUndo -
The writeup and release is here! Tailoring CVE-2015-2215 to Achieve Root -https://hernan.de/blog/2019/10/15/tailoring-cve-2019-2215-to-achieve-root/ …
Thanks. Twitter will use this to make your timeline better. UndoUndo -
If people are interested, I can release the source/blog on making Qu1ckR00t
Show this threadThanks. Twitter will use this to make your timeline better. UndoUndo -
Rooting a Pixel 2 with Magisk from an untrusted app using CVE-2019-2215, no OEM unlock neededpic.twitter.com/yGovBluQj5
Show this threadThanks. Twitter will use this to make your timeline better. UndoUndo -
Disabling SECCOMP with a kernel R/W is quite fun! You need to clear the TIF_SECCOMP flag first in thread_info, then the task->seccomp.filter, and finally task->seccomp.mode. Any other combination leads to kernel panics
Thanks. Twitter will use this to make your timeline better. UndoUndo -
Sweet, got my non-debug Pixel 2 into SELinux permissive by modding the P0 PoC!
Thanks. Twitter will use this to make your timeline better. UndoUndo -
Trying to modify the Android kernel exploit PoC to change my cred->security->sid to init (7). When I do this the process locks up even without any syscalls. This talk http://powerofcommunity.net/poc2016/x82.pdf slide 13 mentions this technique. Any thoughts?
Thanks. Twitter will use this to make your timeline better. UndoUndo -
Grant Hernandez RetweetedThanks. Twitter will use this to make your timeline better. UndoUndo
-
Grant Hernandez Retweeted
There’s also a format string bug going the opposite direction (when your phones name is %p%p%p...) https://twitter.com/fransrosen/status/1179458907900698626 …pic.twitter.com/QqEfSRVIot
Thanks. Twitter will use this to make your timeline better. UndoUndo
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.