Twitter | Pretraživanje | |
SandboxEscaper 16. pro
Here is part one. Pretty sure the attack surface described has many more bugs (not just the vmware tools installer.. I doubt this bug is exploitable in the first place, just wanted something to demo that is unpatched, easier for folks to learn!)
Reply Retweet Označi sa "sviđa mi se"
checkymander 17. pro
Odgovor korisniku/ci @SandboxBear
awesome post, out of curiosity have you thought of using subscribing to SHChangeNotify or something similar to monitor for when the files get created/deleted?
Reply Retweet Označi sa "sviđa mi se"
SandboxEscaper
Procmon works very well for me. If I were to write my own tooling, I would write something similar to process monitor, atleast visually, that allows you to hook arbitrary functions (ones that are used for resource access) to find race conditions elsewhere, not just filesystem
Reply Retweet Označi sa "sviđa mi se" More
checkymander 17. pro
Odgovor korisniku/ci @SandboxBear
Sorry, I meant in reference to your poc where you attempt to createfile until the file is gone and the call succeeds.
Reply Retweet Označi sa "sviđa mi se"
SandboxEscaper 17. pro
Odgovor korisniku/ci @checkymander
lol! Sorry, I completely misunderstood. Yes, I have done that in the past, but it's too slow when you have a really small timing window. It takes a while for the event to register. Sometimes you can get away with the small delay, sometimes not.
Reply Retweet Označi sa "sviđa mi se"