https://groups.spacehey.com/forum?id=15912Forum Topics in the "Da Slop Pit" Group Forum on SpaceHey, created by users.https://forum.spacehey.com/topic?id=83646https://forum.spacehey.com/topic?id=83646i found a rce (Really Cool Exploit) in the sslmgr component of globalprotect a while ago. this exploit is particularly fun because it combines a default crypto key, command parameter injection, and creative uses of the openssl command. requests to sslmgr require a few parameters: - scep-profile-name: the configured name of the scep profile - user-email: the email of the user - user: the name of th...Mon, 18 Apr 2022 04:52:32 +0000https://forum.spacehey.com/topic?id=93101https://forum.spacehey.com/topic?id=93101I found out about BGGP3 late, but I wanted to make a late entry to say hi to da slop pit. I was able to slightly modify some symbolic execution tooling I have been playing with to quickly generate a minimal crashing case. Procmod64.exe falls over easily when loading PML files and I've been using the crashes to show off some of my symbolic execution triage tooling. I'll post a larger blog post abou...Sat, 22 Oct 2022 18:55:56 +0000https://forum.spacehey.com/topic?id=83542https://forum.spacehey.com/topic?id=83542greetings fellow scene queens, emo wolf girls, and sloppy ghosts. today i have a special treat for you (and no, this time it's not a bottle of piss). after writing an exploit for CVE-2019-1579, a format string bug in globalprotect, i wrote a tool to look for format string bugs using ghidra. i ran this script against a few dozen libraries and executables, and as it turns out, there are a lot of for...Sat, 16 Apr 2022 23:51:05 +0000https://forum.spacehey.com/topic?id=89320https://forum.spacehey.com/topic?id=89320Python pyc files are a binary format that is used to speed up the process of interpreting imported files. They contain a small header, metadata about the code object, and the bytecode itself. There's a lot of resources for Python2.7, but since Python 2.x has been deprecated, there aren't many resources for Python3, specifically Python3.7+. Much of the main difference between Python versions is the...Tue, 09 Aug 2022 22:29:47 +0000https://forum.spacehey.com/topic?id=84164https://forum.spacehey.com/topic?id=84164If you haven't heard of lolbins check out: https://lolbas-project.github.io/ Wireshark is capable of running Lua scripts from the command line directly. The -X flag is for eXtension options, which focus primarily on running Lua scripts. Since the Lua engine is used to run dissectors, this should be part of your base Wireshark installation. Command line options: https://www.wireshark.org/docs/wsug_...Mon, 25 Apr 2022 21:40:27 +0000https://forum.spacehey.com/topic?id=84978https://forum.spacehey.com/topic?id=84978the device master key is used for encrypting secrets in your config, generating api tokens, and probably a bunch of other stuff i havent looked into much yet. despite the default master key ('p1a2l3o4a5l6t7o8') being widely available, there isn't any public information about how to use this key to manually encrypt and decrypt data. by default, and on all systems before pan-os 10.0, master key encr...Thu, 05 May 2022 07:11:05 +0000https://forum.spacehey.com/topic?id=83380https://forum.spacehey.com/topic?id=83380is anyone else here a ghost? 👻 i wasn’t for a long time and i’m not sure how it happened. last thing i remember i was in line at sizzler???Thu, 14 Apr 2022 23:10:35 +0000https://forum.spacehey.com/topic?id=84127https://forum.spacehey.com/topic?id=84127sysd provides a key/value database with powerful callback functionality for IPC and configuration storage. Data is stored hierarchically with paths such as cfg.platform.serial. Data can be queried programatically or with the sdb command line tool. For example, you can query the management interface MAC address using sdb cfg.platform.mac and you could also modify this using sdb cfg.platform.mac=aa:...Mon, 25 Apr 2022 16:18:04 +0000https://forum.spacehey.com/topic?id=83397https://forum.spacehey.com/topic?id=83397from the manual: One of the unique features of the Intel 432 is its instruction encoding. Instructions are bit-variable in length and can start on any bit boundary. The instruction pointer thus contains the bit offset into the current instruction segment, which can be up to 8K bytes in size. An instruction consists of up to four fields, as shown in Figure 9-14. The fields themselves are also varia...Fri, 15 Apr 2022 02:24:18 +0000https://forum.spacehey.com/topic?id=89094https://forum.spacehey.com/topic?id=89094have u ever been so sloppy as to allocate the same shared memory region multiple times, but with different page protections #include   #include            #include           #include #include #include #include #include          #include /* the mem u get     0x7ffff796e000     0x7ffff7a6e000 r-xp   100000 0      /dev/shm/ipc     0x7ffff7a6e000     0x7ffff7b6e000 rw-p   100000 0      /dev/shm/ipc   ...Fri, 05 Aug 2022 07:28:30 +0000https://forum.spacehey.com/topic?id=89978https://forum.spacehey.com/topic?id=89978Among other uses, PAN-OS uses the device master key to encrypt secrets in the config. Most of the time, a malicious administrator can simply decrypt the passwords using the AES-256-CBC key '8103850245b9b48f0428c5b74e2615528103850245b9b48f0428c5b74e261552', but occasionally administrators will actually remember to change the default master key. Luckily, Palo Alto Networks made sure to provide an al...Tue, 23 Aug 2022 06:26:41 +0000https://forum.spacehey.com/topic?id=89852https://forum.spacehey.com/topic?id=89852How to set up a Gemini capsule Intro Hello!  Setting up a gemini capsule can be fun and rewarding, and it's not too hard! However, there are some tricky parts that stumped me for a bit when I was starting mine. I figured, since I ran into trouble, I might as well write a guide on how to host your own gemini capsule for anyone running into similar problems. What server to use? Personally, I used ag...Sat, 20 Aug 2022 18:11:26 +0000https://forum.spacehey.com/topic?id=89815https://forum.spacehey.com/topic?id=89815Hi :) I wrote a quick file hasher in hare.  Run the program and pass whatever file you want hashed as an argument and it'll make the sha256 hash for it and print it out for youFri, 19 Aug 2022 22:27:24 +0000https://forum.spacehey.com/topic?id=83364https://forum.spacehey.com/topic?id=83364Hehe neatThu, 14 Apr 2022 22:21:49 +0000https://forum.spacehey.com/topic?id=83367https://forum.spacehey.com/topic?id=83367A few months ago I saw this bug but wasn't sure if anyone actually did anything with it so here are the notes. The Crash From:  https://syzkaller.appspot.com/bug?id=c46757660a2b99103a2f46a15bfcd8d687d5dabc KASAN: vmalloc-out-of-bounds Write in imageblit (2) BUG: unable to handle page fault for address: fffff520008b2208 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-presen...Thu, 14 Apr 2022 22:24:11 +0000https://forum.spacehey.com/topic?id=83773https://forum.spacehey.com/topic?id=83773where da slop at where da slop at Lorem ipsum Lorem ipsum Lorem ipsum where da slop at Lorem ipsum Lore where da slop at Lorem ipsum Lore where da slop at m where da slop at where da slop at where da slop at where da slop atTue, 19 Apr 2022 07:49:47 +0000https://forum.spacehey.com/topic?id=83846https://forum.spacehey.com/topic?id=83846hewwo :3 yesterday i showed you how to get code remote code execution as some preppy loser. today i will show you one easy trick to escalate privileges until ur cooler than boxxy. pan-os internally uses a neat database/ipc service called sysd. sysd allows querying and storing objects (such as the serial number or configuration data) as well as registering as a handler for object accesses and being...Wed, 20 Apr 2022 06:14:35 +0000https://forum.spacehey.com/topic?id=83750https://forum.spacehey.com/topic?id=83750hey you little pissbabiez you think php is so cool, huh? you think php is so great? you talk a lotta big game for someone with such a vuln box!! while grepping for command injection, i came across this code in /var/appweb/htdocs/php/rest/RestApi.php, which handles requests for the pan-os xml api. $url = self::assertParamPresent("url"); $userName = self::param("user", "dummy"); $password = self::pa...Mon, 18 Apr 2022 23:04:42 +0000https://forum.spacehey.com/topic?id=84292https://forum.spacehey.com/topic?id=84292What is everyone's favorite late night snack? I know it was in the title but I'm just curious haha I find that I like really salty things, so a bold chex mix or sour cream and onion potato chips really hit the spot. But my favorite? Mozzarella cheese sticks with marinara. Hands down. I keep a bag in my freezer and they only take like 10 minutes to bake! What about you?Tue, 26 Apr 2022 20:23:43 +0000https://forum.spacehey.com/topic?id=91512https://forum.spacehey.com/topic?id=91512a haiku about disassembler trust, bfu trust disassemblers? or do you have trust issues i think i do too dis-trust i tend to use ida, but sometimes i don't and when i don't, i tend to double check.. in ida what if i can't double check in ida? today i used ghidra (nsa implant) i think i publicly complain enough about ghidra. this is fine, whatever, it's adequate - but ida is better. anyways, i saw s...Tue, 20 Sep 2022 23:40:16 +0000https://forum.spacehey.com/topic?id=89669https://forum.spacehey.com/topic?id=89669so recently, i had to learn how to read mips granted, i had avoided it, because it's hard (ok not anymore but i really thought it was hard but i don't smell toast anymore so i think its ok) heres a table that makes me feel a little better, where n is a number (has ARM energy) mips register(s) probably x86 equivalent thoughts $zero literally the number zero no thots brain empty $at no clue for the ...Wed, 17 Aug 2022 00:20:16 +0000https://forum.spacehey.com/topic?id=89761https://forum.spacehey.com/topic?id=89761Looking for crashes has been fun and I have learned a lot. I have been down some rabbit holes and found some funny bugs. Here are some things that are NOT BGGP3 submissions that i wanted to share :) #1 CHASOPRO 4.0.249 (latest) Buffer Overrun ------------------------------------------- Buffer overrun when importing a jpg named: BGGP3BGGP3BGGP3BGGP3BGGP3BGGP3BGGP3BGGP3BGGP3BGGP3BGGP3BGGP3BGGP3BGGP3...Fri, 19 Aug 2022 00:26:54 +0000https://forum.spacehey.com/topic?id=84548https://forum.spacehey.com/topic?id=84548every hour, a cron job on pan-os runs the /usr/local/bin/pan-gpdatafile-updater script. this is a shell script which checks for updates to some data files used by the system. at a high level, the script will: - check if there is an update available from the server. - if there are no updates available, don't do anything - if there are updates available, use the URL returned by the update check endp...Fri, 29 Apr 2022 06:16:22 +0000https://forum.spacehey.com/topic?id=83538https://forum.spacehey.com/topic?id=83538in this thread we're making yaxpeax-x86 faster. i have a super bad microbenchmark that lives in the repo, it's my spot check for "did i make it obviously worse". it involves disassembling like 500 bytes of instructions or something, so the whole disassembler and dataset pretty quickly end up in cache. it gets really good ipc numbers and makes me feel good about acing synthetic workloads :) perf lo...Sat, 16 Apr 2022 23:23:22 +0000https://forum.spacehey.com/topic?id=83556https://forum.spacehey.com/topic?id=83556I haven't written about this anywhere but figured I should share. This is a DOS I found in readelf 2.30. Here are the two binaries that triggered this crash $ readelf --version GNU readelf (GNU Binutils for Ubuntu) 2.30 $ cat readelfcrash1.bin | base64 f0VMRgIBAQAAAAAAAAAAAAKdpwA+AAEAAAB4AEAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAQAA4 EAEAAAAA1BQAAQAAAAUAAAAAAAAAAAAAAAAAQAAAAAAAAABAAAAAAACAAAAAAAAAAIAAAA...Sun, 17 Apr 2022 03:29:03 +0000