Suid /proc/PID/mem Write (CVE-2012-0056) & multiple vulnerabilities in Wordpress >3.3.1

this should speak for itself

http://blog.zx2c4.com/749

here is the fix commit: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=e268337dfe26dfc7efd422a804dbb27977a3cccc

also, Wordpress setup-config.php (install page). There are a couple of different ways to utilize this not mentioned in the following post.

http://threatpost.com/en_us/blogs/multiple-bugs-haunt-wordpress-setup-012512

+++

Travis Goodspeed's presentation on 802.11 Wifi Packet-in-Packet attacks.

http://events.ccc.de/congress/2011/Fahrplan/events/4766.en.html

Sudo 1.8.0 - 1.8.3p1 Format String Vuln

Critical PHP remote vulnerability introduced in fix for php hashtable collision dos  with PoC here: https://gist.github.com/1725489

Memgrep 0.8.1b Release! (skape's code updated)

Here is the updated tarball!
http://priv.efnet.pe/~builder/memgrep-0.8.1b.tar.gz

Skape describes his program as this:
A dynamic memory analysis utility for Linux and FreeBSD. 
on the original site http://hick.org/code/skape/memgrep/ 
which also has all the documentation and older packages.

 * UPDATED by builder #priv@efnet. where you at skape?
 * couple of minor adjustments to make this compile on newer linux. was changed to and we added
 * an #include to in the #else linux section. next we just commented out the extern declaration at what is now
 * line 101. Added a NULL check on fgets() at line 652 to eliminate a warning. Also simple.c needs #include to stop
 * another minor warning. anyway, I really love this code and i hope skape will make it compatible with amd64 arch soon!
 
I take no credit for developing this code, but I really love it and skape hasn't updated it in forever so I made some minor changes to make it compile neatly on newer 32 bit linux systems. I have only tried on Ubuntu and Gentoo so if anything, this post will hopefully get some feedback and we can work together to make this tool popular again. My ultimate dream is to have this work on 64 bit architectures.

here is the usage, enjoi!

memgrep -- Run-time/core-time memory searching, dumping and modifying utility.
Usage: ./memgrep [-p pid] [-o core] [-T] [-d] [-r] [-s] [-e] [-a addr1,addr2,bss,addr3] [-l length]
                 [-f fmt,search data] [-t fmt,replace data] [-b pad] [-m minimum size]
                 [-F fmt] [-L] [-v] [-h]

   -p [pid]   The process id to operate on.
   -o [core]  The core file to operate on.
   -T         Build a referential tree for the given address(es).
   -d         Dump memory from the specified address(es) for the given length (-l).
   -r         Replace memory at the specified address(es).  If -s is also specified.
              only memory that matches the search criteria will be replaced.
   -s         Search memory at the specified address(es).
   -e         Enumerate the heap.
   -a [addr]  The address(es) to operate on seperated by commas.  Addresses can be
              in the following format:
                 0x821c4ac
                 821c4ac
              Also, the following keywords can be used:
                 bss       -> Uses the VMA associated with the .bss section (uninit global vars, heap data).
                 rodata    -> Uses the VMA associated with the .rodata section (read-only data, ie, static text).
                 data      -> Uses the VMA associated with the .data section (data, ie, global variables).
                 text      -> Uses the VMA associated with the .text section (text, ie, executable code).
                 stack     -> Dynamically determines the current stack pointer.
                 all       -> Uses bss, stack, rodata, data, text.  This is the only keyword that can be used
                              when operating on core files.
   -l [len]   The length to use when searching or dumping.  A length of 0 means search
              till end-of-memory.
   -f [data]  This specifies the search criteria.  Multiple formats are accepted for ease
              of use.  Below are accepted formats and their examples:
                 s -> String format  (Ex: 's,Testing')
                 x -> Hex format     (Ex: 'x,00414100AB')
                 i -> Integer format (Ex: 'i,4724')
   -t [data]  This specifies the replace data.  The same formats used with the -f parameter
              are valid for the -t parameter.
   -m [minsz] The minimum size of a heap allocation for use when enumerating.
   -b [pad]   Number of bytes of padding to use around dump addresses (default is 0).
   -F [fmt]   The format to use when dumping memory, can be one of the following:
                 hexint    -> Four byte hexi-decimal integers.
                 hexshort  -> Two byte hexi-decimal shorts.
                 hexbyte   -> One byte hexi-decimal characters.
                 decint    -> Four byte decimal integers.
                 decshort  -> Two byte decimal shorts.
                 decbyte   -> One byte decimal characters.
                 printable -> Printable characters.
   -L         List memory segments of a process or core file.
   -v         Version information.
   -h         Help.


   Example search (search for 'Jane' in .bss):

      ./memgrep -p 1335 -s -a bss -f s,Jane

   Example replace (replace memory at 0x8423143 and 0x8443147 with 0x00ff0041):

      ./memgrep -p 1335 -r -a 0x8423143,0x8443147 -t x,00ff0041

   Example search/replace (Replace 'Test' with 'Rest' in .bss and .rodata):

      ./memgrep -p 1335 -s -r -a bss,rodata -f s,Test -t s,Rest

   Example dump (Dump memory starting at 0x8422113 for 16 bytes):

      ./memgrep -p 1335 -d -a 0x8422113 -l 16

HowTo Install Arduino on BackTrack 5

I didn't want to make a second post for today, but i have a real treat for you!
http://jon.oberheide.org/files/half-nelson.c
the always cutting edge Jon Oberheide released his stack based overflow for econet_sendmsg function. affecting kernels < 2.6.36.2.
also a LKM rickroller: https://github.com/fpletz/kernelroll


+++

This is made to be a quick tutorial for x86 architecture and you should have root permissions. If this does not work please refer to http://www.arduino.cc/playground/Linux/Ubuntu for more detailed instructions for Arduino on Ubuntu(which is what BackTrack is based on).

First thing you should do is plug in your Arduino board to the BackTrack5 machine(assuming via USB) and type:

#modprobe ftdi_sio
#dmesg

in a console. You should see something like this in the dmesg output.
  
[91296.051432] usb 5-1: FTDI USB Serial Device converter now attached to ttyUSB0

If not it is likely you need to recompile your kernel to include this support. Most likely it is installed as a module so the modprobe command would have enabled it. Next we will go ahead and grab the debian packages needed:

#mkdir /tmp/arduino
#cd /tmp/arduino
#wget http://mirror.pnl.gov/ubuntu//pool/universe/r/rxtx/librxtx-java_2.2pre2-3~maverick1_i386.deb
#wget http://mirror.pnl.gov/ubuntu//pool/universe/a/arduino/arduino-core_0022+dfsg-1~maverick1_all.deb
#wget http://mirror.pnl.gov/ubuntu//pool/universe/a/arduino/arduino_0022+dfsg-1~maverick1_all.deb

Now we are ready to install everything to the system! First use apt to install avrdude, which is the microcontroller programmer. Then just use dpkg -i to install the .deb's

#apt-get install avrdude
#apt-get install gcc-avr
#apt-get binutils-avr
#apt-get install avr-libc
#dpkg -i *.deb

If it complains about dependency problems, then just run:

#apt-get -f install

And dpkg one more time

#dpkg -i *.dep

If you didn't get any errors you should be able to run "arduino" in a terminal, which will bring up the IDE. I suggest opening up the example blink program and changing the delay() values to something fast(200 will work) and uploading it to the board. Pin 13 gives warning blinks so this will verify everything is working. Remember to press the reset button while uploading and change the settings in the sketch program to match what board you have. If anyone does any network or hacking related arduino projects I would love to hear from you. Check us out on efnet IRC@ #priv.