Grant Hernandez

@Digital_Cold

PhD candidate at , firmware analyst, reverse engineer, and binary breaker.

The Swamp
Vrijeme pridruživanja: listopad 2012.

Tweetovi

Blokirali ste korisnika/cu @Digital_Cold

Jeste li sigurni da želite vidjeti te tweetove? Time nećete deblokirati korisnika/cu @Digital_Cold

  1. Prikvačeni tweet
    9. pro 2018.

    A writeup for HITCON's Super Hexagon challenge (part1). A detailed look into AArch64 custom kernel exploitation.

    Poništi
  2. 31. sij

    Another stat to add: I estimate AT LEAST 4.4 million lines of code (see repo for the calculation). Absolutely insane!

    Prikaži ovu nit
    Poništi
  3. 24. sij

    Check out how my CTF team, Kernel Sanders and I approached CSAW's embedded security competition using angr and how we leveraged a buffer overflow to print arbitrary messages to the serial port using RFID shellcode

    Poništi
  4. 24. sij

    Looks like a bug, and almost a vulnerability, but not quite. Maybe some better pwners can take this to an exploit?

    Prikaži ovu nit
    Poništi
  5. 24. sij

    This is the allowed check that is passed to the lack of error handling on fopen: And this is as far as the program gets with the new ulimit:

    Prikaži ovu nit
    Poništi
  6. 24. sij

    Normally it would say this: $ crontab newtab You (grant) are not allowed to use this program (crontab) See crontab(1) for more information

    Prikaži ovu nit
    Poništi
  7. 24. sij

    In vixie-cron, SUID crontab prevents crontab editing if /etc/cron.allow is empty. If you force the ulimit for open files to be 4, auth check is bypassed but you hit another error lower down :( $ bash -c 'ulimit -n 4; crontab newtab' /var/spool/cron/: mkstemp: Too many open files

    Prikaži ovu nit
    Poništi
  8. 14. stu 2019.
    Poništi
  9. proslijedio/la je Tweet

    Success! The duo got the Galaxy S10 to connect to their rogue base station and then pushed a file to the phone. Third year in a row. Off to the disclosure room to get all the details.

    Poništi
  10. 6. stu 2019.

    How complicated is cellular baseband firmware? At least this complicated: over 150K debugging messages across 932 directories and 2,775 files! Rebuilding the source code skeleton from Samsung S10's Shannon S5000 baseband debugging messages.

    Prikaži ovu nit
    Poništi
  11. proslijedio/la je Tweet

    Gathered some of my proof-of-concepts and analysis notes on zero day vulnerabilities that I discovered or researched in the past few years, on my github: . Enjoy

    Prikaži ovu nit
    Poništi
  12. 18. lis 2019.

    That patch set did a major refactor of binder from a single global lock to incorporate more fine-grained locking (performance reasons). It's possible that binder was free from most cross-thread races before this and the epoll race window was missed during the refactor

    Prikaži ovu nit
    Poništi
  13. 18. lis 2019.

    I wonder how long CVE-2019-2215 has been exploitable. Trying to read through the kernel sources to figure out if there was a specific date. I notice that earlier kernels called `binder_free_thread` instead of `binder_thread_release`.

    Prikaži ovu nit
    Poništi
  14. 15. lis 2019.

    The writeup and release is here! Tailoring CVE-2015-2215 to Achieve Root -

    Poništi
  15. 9. lis 2019.

    If people are interested, I can release the source/blog on making Qu1ckR00t

    Prikaži ovu nit
    Poništi
  16. 9. lis 2019.

    Rooting a Pixel 2 with Magisk from an untrusted app using CVE-2019-2215, no OEM unlock needed

    Prikaži ovu nit
    Poništi
  17. 8. lis 2019.

    Disabling SECCOMP with a kernel R/W is quite fun! You need to clear the TIF_SECCOMP flag first in thread_info, then the task->seccomp.filter, and finally task->seccomp.mode. Any other combination leads to kernel panics

    Poništi
  18. 4. lis 2019.

    Sweet, got my non-debug Pixel 2 into SELinux permissive by modding the P0 PoC!

    Poništi
  19. 3. lis 2019.

    Trying to modify the Android kernel exploit PoC to change my cred->security->sid to init (7). When I do this the process locks up even without any syscalls. This talk slide 13 mentions this technique. Any thoughts?

    Poništi
  20. proslijedio/la je Tweet
    3. lis 2019.

    I always wanted to do this :-)

    Poništi
  21. proslijedio/la je Tweet
    2. lis 2019.

    There’s also a format string bug going the opposite direction (when your phones name is %p%p%p...)

    Poništi

Čini se da učitavanje traje već neko vrijeme.

Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.

    Možda bi vam se svidjelo i ovo:

    ·