#syscall

0 posts0 participants0 posts today

cryptaxDecai decompiling a malicious shellcode. The instructions are not so readable, if you're not used to syscalls int 0x80. AI does it for you.<a href="https://asciinema.org/a/4PY8wn2TPg2oBdDQ0Q5bgMYjk" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://asciinema.org/a/4PY8wn2TPg2oBdDQ0Q5bgMYjk</a><a href="https://mastodon.social/tags/r2ai" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#r2ai</a> <a href="https://mastodon.social/tags/decai" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#decai</a> <a href="https://mastodon.social/tags/r2" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#r2</a> <a href="https://mastodon.social/tags/malware" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#malware</a> <a href="https://mastodon.social/tags/shellcode" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#shellcode</a> <a href="https://mastodon.social/tags/syscall" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#syscall</a> <a href="https://mastodon.social/tags/linux" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#linux</a>

Felix Palmen :freebsd: :c64:<a href="https://freeradical.zone/@ax6761" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@ax6761</a> Well, you could call it an implementation glitch. <a href="https://mastodon.bsd.cafe/tags/uname" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#uname</a> is *meant* to give you information about "the OS", but has always been implemented as a <a href="https://mastodon.bsd.cafe/tags/syscall" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#syscall</a>, therefore actually telling you something about the <a href="https://mastodon.bsd.cafe/tags/kernel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#kernel</a>.In <a href="https://mastodon.bsd.cafe/tags/FreeBSD" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#FreeBSD</a>, the kernel doesn't *have* to be the exact same version as the userland, and for security updates, a new kernel is only built when some patch actually affects the kernel.Note that on a <a href="https://mastodon.bsd.cafe/tags/Linux" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Linux</a> system, it's arguably even "worse", as Linux is nothing but the kernel. TO know version information about the rest of your installed OS, you'll have to use distribution specific information (or more recently look at the now standardized /etc/osrelease).

cryptaxI'm surprised at how badly <a href="https://mastodon.social/tags/Ghidra" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Ghidra</a> decompiles this very simple function.It's a syscall 0x57 which is unlink (remove a file).I'm surprised it decompiles saying it *returns 0x57* ...<a href="https://mastodon.social/tags/decompiler" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#decompiler</a> <a href="https://mastodon.social/tags/syscall" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#syscall</a> <a href="https://mastodon.social/tags/linux" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#linux</a>

hubertfOn thread vs. process permissionsIn common Unix and POSIX systems, all threads in a process are supposed to have the same permission. So why does the vortex8 program work as exploited, where one thread sets different permissions than another one using setresuid/setresgid?Reference: <a href="https://man7.org/linux/man-pages/man2/setresuid.2.html" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://man7.org/linux/man-pages/man2/setresuid.2.html</a>Answer in thread.<a href="https://mastodon.social/tags/ctf" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ctf</a> <a href="https://mastodon.social/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#cybersecurity</a> <a href="https://mastodon.social/tags/posix" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#posix</a> <a href="https://mastodon.social/tags/linux" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#linux</a> <a href="https://mastodon.social/tags/glibc" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#glibc</a> <a href="https://mastodon.social/tags/syscall" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#syscall</a> <a href="https://mastodon.social/tags/overthewire" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#overthewire</a> <a href="https://mastodon.social/tags/vortex" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#vortex</a>

Some Bits: Nelson's LinkblogStratoshark: Computer debugging tool: like wireshark, but for system calls instead of network packets <a href="https://stratoshark.org/" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://stratoshark.org/</a> <a href="https://tech.lgbt/tags/via" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#via</a>:hackernews <a href="https://tech.lgbt/tags/wireshark" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#wireshark</a> <a href="https://tech.lgbt/tags/debugging" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#debugging</a> <a href="https://tech.lgbt/tags/syscall" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#syscall</a> <a href="https://tech.lgbt/tags/strace" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#strace</a> <a href="https://tech.lgbt/tags/devops" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#devops</a> <a href="https://tech.lgbt/tags/linux" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#linux</a> #+

HoldMyTypewhen you say you cannot use kernel services or any system call for that matter because <a href="https://mathstodon.xyz/tags/Syscall" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Syscall</a> instruction is prohibited inside the enclave. The OS is not a part of the trusted computing base(TCB) in <a href="https://mathstodon.xyz/tags/SGX" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#SGX</a>. lets assume that syscall was enabled inside the enclave and you write instructions in assembly to execute the syscall instruction(lets say with parameters for the open system call sys_open). When you do a syscall you jump to the predefined location setup by the kernel during boot to start executing kernel code. What this means is you are jumping from code written by you(which is trusted) to code which is not written by you(OS, which is untrusted and is not a part of your TCB). If you were able to do this, it would defeat the security guarantees provided by SGX. Since the kernel/OS/any other software not written by you is untrusted, you could have a malicious kernel whose open system call reads data inside your enclave and steal your secrets. <a href="https://en.wikipedia.org/wiki/Spectre_(security_vulnerability)" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://en.wikipedia.org/wiki/Spectre_(security_vulnerability)</a> <a href="https://stackoverflow.com/questions/28114746/what-does-it-implies-to-disable-syscall-in-intel-sgx" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://stackoverflow.com/questions/28114746/what-does-it-implies-to-disable-syscall-in-intel-sgx</a>

Recent searches

Search options

Administered by:

Server stats: